I loved PHP at first too, but the more I started to do serious work in it, the more I grew to hate it. There's so many better languages out there these days, but PHP seems to live off the hype it gained when it was basically a choice between CGI/Perl, Classic ASP and PHP.
PHP ended up annoying me so much that I switched back to Perl (using mod_perl for performance critical stuff). However my latest project is being written in Golang (I know it's all just personal preference, but everything that I hated about PHP, Go seems to get right)
I loved PHP at first too, but the more I started to do serious work in it, the more I grew to hate it.
I can second that. It's great to get into quickly and just hack something together.
But it has lots of problems. Admittedly the devs have begun addressing a lot of issues - like the database access one, where you had just a bunch of functions that didn't even offer auto-escaping and resulted in a lot of unsafe sites - but the old stuff is always kept for backwards compatibility, which means that a lot of sites just continue to be unsafe.
I think a lot of those problems are stemming from the fact that php doesn't have any sort of built-in module system and everything is just on the root level of the language. There are optional namespaces, but even for those they use "\" (like \parent\child), which IMHO is just about the worst choice ever.
Then you have issues like the devs just pushing out a new version even though like 99% of their tests failed (but hey, apparently they at least have tests).
And of course you have the never-ending story of bad php-developers which came into the field because you can just hack stuff together with copy-pasting googled code-snippets and not understanding anything. Seriously, if anyone thinks this issue overstated - it's not. If anything, it is understated.
I have seen productive systems over which money in the tens of thousands of Euros came in which had hidden fields in the HTML containing complete SQL queries which even included the price (apart from the obvious downfall of enabling someone to just POST a 'DROP TABLE' statement, etc.). I have seen systems with something like static 5-digit user authentication tokens that would show up in the URL; You could just sit behind an admin, note the token and be an admin forever. And of course I have seen the ugliest, completely unmaintainable mess of code that would be humanly possible, with no documentation whatsoever (of course).
I also heard from a friend who had to fix something in the C-code making up php about hundreds of lines of codes being copypasted to different locations twelve times. While I haven't verified that for myself, it's not something I'd be surprised about.
Then of course there's the issue of php's design. For one your complete software has to be loaded for every single page view, which is just really fucking inefficient. But having the application not run continuously is also a problem if you want to write any sort of real-time application, which are going to become more and more frequent. You can do stuff like long-polling, but that's just another ugly hack. You might of course be able to have another hacky solution with continuously running php-cli with FastCGI or something like that, but even if that would work in principle, some php script would just die within a few minutes and the site'd be dead.
TL;DR: For small projects that may be hacky and potentially insecure, php is fine - For everything that is supposed to be proper, secure or highly performant I recommend you stay away from php as far as you possibly can. Everything else will just result in huge frustration.
I have seen productive systems over which money in the tens of thousands of Euros came in which had hidden fields in the HTML containing complete SQL queries which even included the price (apart from the obvious downfall of enabling someone to just POST a 'DROP TABLE' statement, etc.). I have seen systems with something like static 5-digit user authentication tokens that would show up in the URL; You could just sit behind an admin, note the token and be an admin forever. And of course I have seen the ugliest, completely unmaintainable mess of code that would be humanly possible, with no documentation whatsoever (of course).
To be fair, only the last thing you list could but doesn't have to apply to PHP, and mostly refer to incompetent practices which could be applied with any language. I'm not going to be a PHP apologist, But I do remember a couple of weeks when it looked like every day there was another exploit in Rails (which is not Ruby blah blah blah) or a problem with exposing app tokens or something. Do I get to say Ruby is a toy language because at some point the YAML parser allowed for remote code execution?
Of course not, because that problem's been (I assume) fixed. The SQL libraries are being deprecated in PHP, it's had parameterized queries for a while. You can do secure cookies and sessions. People just don't -- it's not as integrated a community as with Rails and Python. You can't just say "everybody update your repos" and then the problem goes away, unfortunately. But that's an issue with education, and deployment, not necessarily the language.
I also heard from a friend who had to fix something in the C-code making up php about hundreds of lines of codes being copypasted to different locations twelve times. While I haven't verified that for myself, it's not something I'd be surprised about.
PHP ended up annoying me so much that I switched back to Perl (using mod_perl for performance critical stuff). However my latest project is being written in Golang (I know it's all just personal preference, but everything that I hated about PHP, Go seems to get right)
I know many HN members will already be familiar with the following blog post, but it highlights up many of my frustrations: http://me.veekun.com/blog/2012/04/09/php-a-fractal-of-bad-de...