Skip to main content

PHP7: A quick look at performance and security

PHP is a widely used language to build custom server-side scripting. According to the Stack Overflow Developer Survey 2017, 28.1% of developers use PHP as a programming language. In 2015, when PHP7 was released it was quite a revolutionary step in comparison to the release of PHP5 in 2004. Let’s have a look at its performance and security improvements.

Performance

The first thing worth mentioning is the speed of PHP7. It’s based on PHPNG engine (Zend Engine 3.0). The advantage over its predecessor, PHP interpreter Zend Engine 2.0, is that it’s up to 2x faster performance and 50% better memory consumption compared to PHP5.6. It means that the server can return pages to the users twice as fast, and can serve a greater number of concurrent users. It also means that a single server can handle twice as many requests to serve the same number of customers at the same speed as before.

PHP7 offers a serious improvement of performance for most applications such as eCommerce and CMS platforms. For example, Magento setup on PHP7 is able to serve up to 3x as many requests than PHP5.6 with 30% lower memory consumption. Please take a look at the infographic on that issue: http://www.zend.com/en/resources/php7_infographic

Tumblr and Badoo are big companies among those which use PHP7 and profit greatly from the upgrade.

PHP7: A quick look at performance and security

Security

Each branch of PHP, that has been released, is fully supported for 2 years. During this period, i reported issues are fixed and are released in regular point releases. Each branch is also supported for an additional year for critical security issues only.

According to W3Techs data, up to 86% of PHP applications rely on unsupported versions that expose the business to a multitude of well-documented security vulnerabilities and possible security breaches

Now the PHP7 comes onto the stage. It offers better security enhancements than PHP5, e.g. a filtered unserialize function or a set of functions cryptographically secure random numbers (random_bytes() and random_init()).

What else makes PHP7 better? It has introduced new features such as scalar type declarations and return type declarations. These enhancements make the maintenance of code pieces and writing more robust tests easier.

Moreover, testing applications and finding hidden bugs becomes simpler due to scalar type and return type declarations. It also helps team developers to understand the code if the data type of function is specified.

Type declaration in PHP7 removes the burden of checking the data type of arguments before processing.

Also, worth mentioning are the null coalesce operator and the spaceship operator <=> by comparing two expressions, both which require less code to perform specific evaluations. Many fatal errors become now merely exceptions.

PHP7 security

Summary

Summarizing, PHP7, with the released in 2017 subversion 7.2 and the planned release of 7.3 in early 2019, it appears to be more reliable and secure web programming language than its previous versions. It looks like it can successfully compete with other languages. Let the words of the PHP creator, Rasmus Lerdorf, be the best conclusion: “The big thing is performance. Most code will run twice as fast as before, with some caveats” and “Everything a developer needs to write safe code is available in PHP”.

Piotr Buczkowski