PHP's printf vs echo!

[Paithar]

Sorry but this is a small rant about the company I'm currently working for. I'd complain to my boss but since I've only had the job since the beginning of July and they're letting me learn PHP and MySQL on-the-fly I can't really complain too awful much.

I'm sure I mentioned a bit about this another time this forum but this company has a complete client specific website written in PHP (version 3.x or there abouts) and MySQL (some version prior to any 4.x). Every single page is written in such a way that printf's are used to output every single line of HTML. Even if it's a static line that never changes it's done this way (90% of the all of the pages are static). They also make extensive use of html table statements (no CSS whatsoever).

When I first started and noticed this practice I assumed that it was because the people that wrote the site (and still work here) only learned enough PHP to get the job done because the website is actually secondary to their actual product here. They continually complain about web pages loading slow.

When I started they new that I also did not know PHP nor MySQL and they were more than willing to allow me to learn on-the-fly. So, not realizing that they were using such old versions of PHP and MySQL I learned/am learning PHP4/5 and MySQL4. They give me my first assignment and I code it accordin to what I was learning and my own programmer preferences that had done me very well for the last 10 years in other languages. I test it out and that's when I realized what versions they were using. So I ask why they aren't using newer versions and the answer I get is because they're not convinced that the security is really all there with the newer versions.

I try to tell them that the newer versions are more secure (or at the very least just as secure) as what they're using but they don't want to change but said they would think about it for sometime in the future. That should've been my first clue as to the thought process of these people but I just didn't catch it.

I then ask why they use printf's exclusively. The answe was a two parter. First, they seem to think that printf's are more secure than any other similar statement like echo's. Second, they like the thought that they can format the output even though 90% of every page is static and does not change at all. Once again I try to tell them printf's are no more secure than any other similar statement and that echo statements I believe are a little bit faster than printf's. It was about two weeks ago that I finished my first project they gave me and I coded with echo statements. The code looked nice from a programmers perspective even though I had to use a lot of tables, especially compared to other pages with all of their printf statements and tables. For my next project I needed to grab a certain part of the page I created back then because it was basically being duplicated for this new project. For some reason or another I couldn't find the my copy of the previous web page so I grabbed the one from our webserver. When I opened it up I find out that they didn't like my echo statements and took the time to basically rewrite my nice and neat code to be all printf's and no formatting whatsoever.

The thing that really gets me is that they never said to me, "You must code all pages with printf's" and I'm the type of guy that won't do something that even appears to be a standard if it's not explicitly told to me or written down in some kind of standards manual, especially if I think it's bad coding practice.

Man! I'm going to go nuts if they actually come back and tell me to code that way. I had hoped that I would be able to stay with this company for the rest of my career but it's now beginning to look like I'm only going to stay here for a year or so. Just long enough to say that I have some good experience with PHP and MySQL so that I can go out and work for a company that actually has decent coding standards and uses at least somewhat newer versions of the languages.

Ok. Sorry, it turned out to be a long rant.

 

[ekliptikz]

Uh wtf are these people thinking. Here's my take, maybe it will give you some ammunition (PS I've been coding PHP for like, forever, and I do it 8 hours a day 5 days a week for huge corporate projects and such)

First off, if it's complete static content, you don't need any of that crap.

Say you want to write some html like so:

<table  width="100%" border="1" cellpadding="2" cellspacing="1">
  <tr>
    <td>
    <p>Hey check this out</p>
    </td>
  </tr>
</table>

I assume by "printf's are used to output every single line of HTML" that the code you came across looks like:

printf("<table  width=\"100%\" border=\"1\" cellpadding=\"2\" cellspacing=\"1\">\n");
printf("  <tr>\n");
printf("    <td>\n");
printf("    <p>Hey check this out</p>\n");
printf("    </td>\n");
printf("  </tr>\n");
printf("</table>\n");

But in reality all you have to do the write out static content is close the PHP tags ?>
Like so:

<?
foo();
bar();
?>

<table  width="100%" border="1" cellpadding="2" cellspacing="1">
  <tr>
    <td>
    <p>Hey check this out</p>
    </td>
  </tr>
</table>

<?
foo();
bar();
?>

Second off:

printf() is used for PRINTing Formatted data (hence PRINT F). You use that when you want to insert variables into a formatted string, for instance (from php.net):

$format = "The %s contains %d monkeys";
printf($format, $num, $location);

You don't need to use printf() when you're just putting out a static string.
Two functions are more commonly used to accomplish this goal: print() and echo()
(PS neither are actual functions, they dont need () to work properly)

The differences between the two are compared more in depth at http://www.faqts.com/knowledge_base/view.phtml/aid/1/fid/40 (direct link from php.net)

Anyways, the real WTF here is the "security issue". I've NEVER heard of any kind of security problem using freakin output statements. For god's sake, it's taking a string and writing it to the output buffer! I don't even think it's possible for there to be a security problem with something of that nature.

The only real problems I've ever [RARELY] heard of (and this should exist for any output statement not just print or echo) is the output buffer size. And this isn't a security issue, this is a performance issue. I.E. if you try to echo a string that's like wicked huge (8k), this can cause some slowdowns on the server-side. With ASTONISHING performace losses causing your output to download at .0001 seconds slower than usual! INSANE!

ok I'm done


****EDIT
I added an exclamation point after one of my sentences cause I wanted to convey my outrage better.

 

[ekliptikz]

And as for using PHP3 as opposed to a newer version.

It really depends on what you're doing. If you're just making some simple scripts, with little to no database interaction or whatever, I wouldn't fret about it. If you're intent on learning with php4/5, make your own server, or get some personal webhosting with php4/5.

The reason I say this is not because I don't think you should upgrade your php version, it's because it sounds like the guys are total morons. And I'm afraid that if you pester them about it they'll probably freak out and start firing people.

If you want to be a dick, just say: "Hey WinXP is cool and all, but lets stick with Win98 cause it's more secure."

 

[HorsePunchKid]

You may want to try pointing your coworkers to a popular, well-established, open source product that's written in PHP. You can almost always get access to the source code over the web, through CVSWeb or whatever. Find a few source files from something like Drupal, Gallery2, or osCommerce, and show them that no competent PHP developer would try to code that way.

 

[Paithar]

Don't get me wrong. The people here are really knowledgeable when it comes to the languages they normally program in every day which is mainly C. I guess that's why they use printf's the most but when I asked they did say "for security". I have no idea where they got that idea.

ekliptikz, yeah you were correct on your assumption of the using printf for every single line of html except that they don't even put the spaces in to give it some form of structure. I know the spaces don't make a difference to the actual output but it lets us coders read the source a lot easier. I'm constantly finding myself having to read every single line from beginning to end to find the spots I need to change or whatever. It sucks. Usually in at least decently formatted code I can skim through the code and find the things I need but here this is not the case.

What I'm hoping to do is take the existing site and port it over to php4/5 and mysql4 since that's what I already have installed for development on my work pc and my personal laptop. Actually I've already started doing this but it's going to take some time because they have like 50 web pages, although probably half of those are simple menu pages and that's it. Unfortunately I have to do this almost all in my own personal time. I'm hoping that once I get this ported and tested out as much as I can on my own system that they'll see the benefits of upgrading and maybe then they will change.

Until that time however I guess I'm going to have to do all projects they give me in php3. I still won't code exclusively with printf's unless they come to me and say that my job is on the line if I don't.

Thanks for the replies everyone. Mainly I just had to rant to someone, anyone, that understands some of this. Since my wife has no clue about any of these kinds of things it doesn't do me much good to rant to her because I end up having to explain everything in detail so she'll understand.

 

[animeguru]

Well, at least you get to use PHP. Me, I've got an IT guy that refuses to let me use PHP on our web servers because it's too insecure. Translation, he's too lazy to check on it every so often and install any patches that may be available.

Then, I've got a boss who, if it doesn't work on our NT4 server, and thus he can't look at it in the office without a little extra effort means I can't use HTML includes. Plus the fact that the one time I finally managed to convince him to let me use them, his ultra-archaic copy of IE didn't recognize the .shtml extension. Of course every other system in the office could, but because his couldn't, that was out the window.

Javascripts?? Limited to cutesy crap like image rollovers.

And speaking of image rollovers, ever done graphic design in Photoshop 4.01?? Yeah, tell me about it.

Of course, PS4 is great for making those oh so eye catching, flashing new GIFs he loves so much. Yesterday I made a [rather nice looking] banner for a new release and he told me it "wasn't obnoxious enough." Its my job to make seizure inducing graphics.


Do you have any idea how hard it is to keep sites with thousands of pages and 10s of thousands of daily visitors fresh and in good running order without basic tools like includes?? And no CMS? And no database? Thank god he didn't balk when I told him we were moving to CSS and semantic XHTML rather than the table heavy, non-validating, HTML 3.2 we'd been using. If he had, I probably would have completely lost it.


Wanna come see what backwards truly is?? If it weren't for the crazy ass pay, I'd drop this place like a bad habit. As it is, I'm still looking. For now my creative abilities are stroked by the freelancing work I do. They don't seem to mind me using Photoshop CS, or PHP, or any other design tool created within the last century.

 

[Paithar]

Damn animeguru, I don't feel quite so bad now. I would do the freelance work as well but since I've only just begun learning php and mysql I don't feel that I'm quite up to the level needed for getting paid for working on another site. I have however been thinking of totally redesigning my old high schools web page because it just plain sucks. I know the principal since my son is going to school there now so I thought I might redesign it for free and present it to him.

Also, I just found out today that the php menu pages they use here are messed up. When viewing the pages they appear to be a simple html page with plain old, underlined links for each menu item. I can create this kind of thing in my sleep. I had to actually make a change to one today and so I go into it and I'm blown away by how they're doing things.

First off, everything is contained in php statements. This is so that they can control what menu items are available to the different user access levels. No problem. They're of course using printf's for the display of everything but instead of using a plain old link via the html anchor tag they have short javascript code for each link that just loads the page that the menu item is supposed to go to. I asked why they were doing this and they said it gets them around having to have a submit button at the bottom of the page. I then look again and I see that I had missed that they had put everything into html form tags. Even though they don't actually display any form fields they have it all surrounded by form tags. At that point I decided to not even try to tell them that they can use a simple anchor tag and be done with it.

Oh well. Hey, I'm curious about something. For those of you who do freelance work, how much experience did you have before you decided you were good enough to go freelance? I've gone to a couple of sites that post php work that needs to be done and some of the stuff is clearly beyond my current knowledge of php and mysql but other stuff seems like it would actually be no problem for me. The only reason I haven't tried to get one of those yet is because I'm wondering if they'd even want me since I have only been learning and using PHP and mysql for a couple of months.

 

[animeguru]

Yeah, it kinda sucks. Honestly though, even though I'm tired of the crap I have to deal with, in some respects I am thankful. Years of working with the absolute minimum has forced me to think of more and more clever ways of accomplishing my goals. I've become extremely adept at clean code that functions on the same level as a lot of more complex sites I've seen. You really can accomplish a lot with just (X)HTML and CSS.

As to the freelancing. I started off doing stuff for people I knew. In the beginning I did a lot of work for free or for very little. After a while, people they knew would be in need of something and I could start charging prices closer to my skillset.

I wouldn't say you have to know a lot, but never mis-represent yourself. Be honest about your skill level, don't tell them you can do something you can't. Easiest thing would be to build a couple of sites that show what you can do. They can be personal sites, but at least you'll have the beginnings of a portfolio.

Also, never rest on your laurels. Expect to learn new ideas and technologies for the rest of your career.