When I suggested languages to start with, a friend asked me why I didn’t recommend PHP. Thankfully, Google knows the answer:

Although some people confuse PHP for a scripting language, perhaps PHP is really two things: The most popular C web framework, and one of the most powerful templating languages out there.

PHP is the framework, and unlike Django and Rails much of the logic is written in C—including how routing, argument decoding and session handling work by default. PHP is also the template language, and unlike Python or Ruby, “Hello World” is a quine.

Bashing PHP by a long list of quirks and misfeatures has been done to exhaustion, and misses the reason people use it: It’s popular, and programmers use popular things. Personally, I don’t think PHP is all that bad, it is still probably the easiest way to write a cgi-bin script that spits out html, and most of the PHP you will ever need has been written for you already.

For beginners, diving in and hacking at a larger codebase can be just as challenging, fun, and frustrating than writing all new code. Although I have recommended software written in PHP to people, I don’t recommend it for new projects, or to beginners. Why? Internationalization and Security.

PHP itself, and many major products in it have a rather hilarious security record, even rivalling Paul Vixie’s, but that is not my real concern. Writing secure code, even if just the trio of Cross Site Request Forgery, Cross Site Scripting, and SQL Injection, requires expertise in a language touted as being for beginners. PHP does very very little to prevent these or mitigate them effectively, by default in a new project.

Internationalization is still quite hard in PHP too, and the last major attempt to make it easier, PHP6, failed. Although less of a concern to those who suffer from american exceptionalism, ASCII and Latin-1 aren’t good enough for the rest of the world, and PHP’s companion, MySQL doesn’t help much with this either.

Still, if you think Wordpress, Drupal, MediaWiki et al, solve most of your problems, use them. They’ve worked around the big issues, and have helpful supportive, communities. For new programmers writing new programs, other languages may be less painful if you don’t speak US-ASCII and don’t want to be hacked.

This isn’t directed so much at those who are already wedded and entrenched in the world of PHP. I’m not asking you to abandon PHP, but fix it—Not by writing a new framework atop, but by fixing what lurks beneath.