PHP vs Node?

Muhammad on August 04, 2019

I have done quite many projects with clients in PHP, but now I have moved away from PHP to Node. I would like to know what do you guys have to say... [Read Full]
Editor guide

PHP lets you create bugs and security issues super easily. The only consistent thing about PHP is its inconsistency. It is so bad that Facebook created Hack to make it usable. The only powerful thing about PHP is that it's Turing-complete, buy hey so is brainfuck.

That summarily covers my opinion of PHP.


You can create bugs and security issues super easily with nodejs too.

In modern backend environments php is not used naked anyway, most of the time your framework will be based on secure and field tested components (mostly coming from Symfony). Laravel is based on symfony for example, you can also very easily create your own custom and secure framework using symfony components.

I would say that PHP is still quite valid as a backend OOP programming language. Especially with PHP 7.

NodeJS can replace php for the best in many areas where php used to be chosen by default, for a lack of better alternative, but that doesn't make php irrelevant. Not everything needs to be a micro service, and many projects use both php and NodeJS.


PHP is uniquely bad in that the people behind it continuously make bad choices in designing the language. T_PAAMAYIM_NEKUDOTAYIM has existed since PHP 3 and is still visible as part of parsing errors today. It should be renamed T_DOUBLE_COLON but somehow still hasn't been, and the manual entry makes it seem like it's a cute and quirky feature of the language. Oh look! You have to know a very specific subset of Hebrew to work your way around the code!


PHP doesn't abort execution and show a 500 on error. No. Instead it just sends the half-finished paged with an error at the top that is guarenteed to break the page.

PHP wasn't designed with you running a server process, and any framework that tries to use PHP this way undermines itself completely by having to spend 98% of its development time working against the fact that they're trying to run a modern 3D game on top of SNES-like architecture. PHP was made to be the OG serverless language, running per-requests instead of as a daemon process. But even that very core feature of PHP was butchered.

No attempt has been made to standardize the signatures of standard library functions. Sometimes snake_case, sometimes pascalCase, sometimes nocase, sometimes the verb is first, sometimes the noun is - and for array functions, sometimes the array goes in first, and sometimes last!

PHP is the only language with a configuration file assigned to it. Not a list of language features to turn on/off, no. Configuration that will change the way the language works. Which means you can't take the code from one server to the next and expect things to work. You also have to take into account the configuration of PHP itself.

While JavaScript has its share of "wat"s itself, comparison in PHP, and more generally type coersion in PHP is a PITA, and that's a huge euphemism. Oh, and while JavaScript's == is weird but understandable, PHP's ==, oh boy...

These aren't usage errors, where the developer wrongly assumes something about the code itself and unexpected behavior emerges. These are weirdness coming from the language itself, which makes it extra hard to wrap your head around how to use the language itself, and as a result makes you more prone to errors.

Finally, someone will say "oh but language X or Y also has these quirky features". Oh it's okay then, some other language is weird in this aspect, therefore it's okay to put it in PHP. Therefore PHP really is Frankenstein's Monster of programming languages.

Oh yes. That and more.

On a sidenote I thought that T_PAAMAYIM_NEKUDOTAYIM was fixed in recent versions but it seems that it was actually not. 🤦

I'm surprised there is no other languages in the error messages though

To be honest, I like this historic, cultural error message. Even though it should be accompanied by a clearer error message. It is a simple error and explained when searched for at nauseam. That being said, I would never go back to PHP after having switched to Node.js with Typescript.


Yes, for example:

myFunc() {
    setState({ "number" : 1 });

The code is right, it compiles but it ignores the fact that setState is async. So it will act randomly.

And it is a basic example and it is a REALLLLLY common mistake.

Lolx rules are rules we didnt make em so we gotta follow em... I think what you might be embarking is creation if a new language above a language...

The evolution of assembly to java and beyond now

Yes, although it's mostly a front-end issue. On the back-end if you try to access DB data in a non-async way you'll quickly realize that the data is simply not there. I've been handed large amounts of amateur JS and there was MANY issue but not really that one.

The kind of issues that PHP enables are more like "let's execute this unfiltered user input" which is way more dramatic than a randomly-bugged front-end component.

The kind of issues that PHP enables are more like "let's execute this unfiltered user input" which is way more dramatic than a randomly-bugged front-end component.

Validating the user input is anything but trivial. But I don't think Javascript is doing it better. AFAIK, MVC c# it does it right, we could validate the type, the long, if it is present or not and such.

There are some libraries that do this job but natively both languages don't do their duties.



Oh well, I assumed that frameworks would make sure that req.param('name') is a valid unicode string while $_GET['name'] can be any string of bytes but maybe I'm expecting too much?

In any case, you can write stupid code in all languages. But to be specific to the $_GET issue, it's so easy to break encapsulation using it (because it's global). Same thing with $_REQUEST, what is the point of this except getting X-whatever-scripting attacks from all sides?

PHP is just next-level compared to anything else in terms of possible misuses.


Yes, i really felt that NodeJS can replace PHP, i have had failovers in PHP where my website was attacked and stuff, but as far as NodeJS is going its going pretty smooth but because i came from PHP, i really find that PHP is a good language to start with in making good programming concepts.


Your comment reminds me these words from Rasmus, I quote "PHP is perfectly consistent, just not in the way you expect".


I would be curious to know the details of this security issue you spent hours on, and why the same mistakes couldn't have been made in NodeJS.

In other words, are you judging php because of the poor quality code that was written by the community years ago?

How many popular npm packages have been known for having major security issues?


In short,



Of course that was hidden over several layers of call stack so it was not so obvious, and the hours were mostly spent making an assessment of the server to know if anybody used it.

I'm not particularly fan of NodeJS but it's just that this kind of mistakes are super-easy to make in PHP despite all the goodwill of frameworks.

My problem with PHP is that the PRNG is unsafe, the way weak typing works is unsafe, the absence of unicode handling is unsafe, the fact that PHP is a templating language is unsafe, the silent failures are unsafe, ... Everything in PHP is unsafe.

It's just an example within an ocean but let's compare JS and PHP on weak typing.

if (0 == "bonjour") {
    // Will be reached in PHP but not in JS

By converting strings to integers and not the opposite, the typing system removes information and possibly creates security issues (this specific thing was used in phpBB to become administrator by modifying your session ID).

Of course you can ban == in your code but what about dependencies? What about some things in the standard library which will keep on doing == instead of === because it's more within the philosophy of PHP?

Of course NPM is not perfect and there is tons of flaws in it but the fact is that PHP is fucking terrifying.

JavaScript has numerous similar oddities, that could lead to unwanted behaviour when the code is written by someone who doesn't know the language:


In what language is it a good practice to compare a string to 0 in order to prove that it's empty or null anyway?

I agree that PHP is weakly typed, but the main issue here is the developer. I work with PHP developers and no one writes this kind of code.

PHP's reputation is mainly due to the fact that in the past many php softwares were written by script kiddies. People I hear dismissing PHP as a whole have no experience of modern PHP development.

JS is a good comparison because it's a really strong amateur language as well. And I'm not saying that it has no issues but rather that PHP makes very dangerous things very easy to do.

Of course, PHP improved a lot and many low-hanging fruits have been fixed. However let's have a look at this security issue form phpBB back in 2005. Yes it's old and yes a linter would fix it. But if someone wrote that code today the issue would still be there.

If you take the code, it goes like this (in short):

$sessiondata = isset($HTTP_COOKIE_VARS[$cookiename . '_data']) ? unserialize(stripslashes($HTTP_COOKIE_VARS[$cookiename . '_data'])) : array();

$auto_login_key = $userdata['user_password'];

if( $sessiondata['autologinid'] == $auto_login_key )
    // You're admin

So yes the stripslashes() is a funny reminder of a time that is actually over since PHP managed to get rid of magic_quote_gpc but that's not the point.

Some raw data from the user goes through unserialize(). Which means that $sessiondata['autologinid'] is from any type that the user deems. On the other hand, $auto_login_key is a string.

To answer your question, who would compare 0 to a string? Well, some hacker using unforseen side-effects in some code that looks very reasonable otherwise. Putting 0 in autologinid is equivalent to writing:

// Before implicit cast
if( 0 == "somekey" )

// After implicit cast
if ( 0 == 0 )

You're going to tell me that now we have JSON and frameworks and many wonders that help us not do this kind of things. But if you never saw a junior write a $_GET in some Laravel/Symfony code then you have not been looking. And the same goes for all protections brought by these frameworks, they are just too easy to bypass.

Now to be honest I don't like PHP and I don't like JS (especially on the back-end) so that's really more of an anti-PHP argument than a pro-Node one.


PHP is not for beginners, it's true. All people I know that agree with you don't know PHP.

It requires a strong tooling to be effective and be confident with your code. But it's still a valuable choice for backend apps.


PHP was actually helpful when I was a beginner in 2003 but actually better options came out and kind of exposed the fact that PHP will encourage dangerous behaviors. In fact, I can specifically thank phpBB for teaching me all the common security mistakes you can imagine.

Last week I spent hours fixing potential remote code execution issues in a very popular piece of PHP and that makes me very sad. Because this kind of problem is VERY easy to have.

Of course you can artificially throw away 3/4 of the language and base everything upon more or less decent community-built tools while praying that none of your juniors will create a colossal hole in your code but knowing the alternatives that's really not the choice I'd make.

As I said, it's definitely not for juniors. As an experienced PHP developer, I'm responsible for delivering safe apps with secured Apache configuration, built with clean code and tested in a pipeline. It's more difficult in PHP than in any other language, but I learnt so much more than if I had chosen the last all-in-one ready-to-go JS framework.
But if I had to choose a programming language to start my career today, it wouldn't be PHP.


I found it interesting how people bash on PHP and don't seem to realize they bash on not even the wrongest part of the language. I worked a lot with PHP, from 5 and a little with 7. PHP is a One to One prototype from the underlying C library, making as consistent as C and C++. Here is a video that explains why youtube.com/watch?v=wCZ5TJCBWMg. In summary, PHP came at the right place at the right time and grew at the right pace, leaving behind inter-module consistency.

It also explains that yes, PHP was not and is not the fastest, but their strategy at the time was way better than faster and more "thoroughly though" languages like Perl and Python. And please, Javascript has been developed in such a hurry that it is way more of a mess than PHP (in my opinion).

And I never used it, but I thought HipHop from Facebook was a PHP compiler (don't know about Hack!).

What is the worst part of PHP for me:

  • weak/strong comparator (such as == or ===) ;
  • method overloading only possible using arrays ;
  • the way it implies if something is a string or a number or whatever ;
  • the memory footprint (at least with 5) ;

So for me, any loosely typed language makes it easier to create bugs. In such a case, there is always linters.


I mostly agree with you! My main point would be: why keep on working on Frankenstein while there is so many straightforward alternatives.

For the record, in 2010 I strongly stepped in favor of PHP for my projects, but things changed so that PHP doesn't make sense anymore (in my opinion, everyone thinks whatever they want)

That is exactly why I left the Web for Embedded system. I don't know for you, but I was a little tired of doing the same thing over and over again (CRUD stuff). Challenges in Web development, IMHO, is not in the code anymore but in the infrastructure.

Dealing with the 5 desktop browsers, the 18 mobile device formats (plus many browsers) was for me the bigger pain. It has been 2 years since I didn't do any web development per se, so maybe it got better.

All the Web is "hurried development" such as PHP, Javascript and "hey look a new device lets put a browser in it!" (like a refrigerator O_o). Browser version comes out every what, 3-4 weeks. This is pure madness.

C and C++ are not perfect, but at least when I work on an STM32 there is only one place my code will run, for one purpose. And I came to realize that embedded system, even though challenging and low-level, can bring high-value quickly to a device.


With a clear and valid example please illustrate strate your point cause it seems to me that bugs can introduced regardless of the language used used unless there is another valid point please state it and produce a valid example


PHP gives an OOBE while Node not (unless we want to generate a really easy hello world).

PHP has Laravel but it is optional. I have not used Laravel in a long while. While for Node, we need something else to do the job. ExpressJS is popular (not unique) but if we compare PHP with NodeJS-Express, we will see that ExpressJS has a lot of code that fits more into the webserver than in a project (after all, Node is the server).


I have this problem that remain unsolved until now. There is mod-php in apache to manage php, but I don't know how to handle node serve like mod-php in apache does. do you have any suggestions?
For now I create increment port from 3000 to 300X and then proxied to port 80 to apache, (in my server there's multiple node server running proxied to apache) and i think it's not effective


I think for node, i would consider PM2.

Its a process manager for Node

PM2 Process Manager

pm2 start your_app.js -i max

This will auto detect whatever number of CPUs you have and will manage it accordance to it. You can customize but gotto refer the docs.

I think from PHP to node was a hard shift, but not i see not that harder, its like best of both worlds, i suppose.

thank you for explanation, do you have idea for handling port?

I think if you start it with a your.json file, you could kinda hack around like this.

pm2 start your_file.json


  "apps": [
      "exec_mode": "fork_mode",
      "script": "path/to/app.js",
      "name": "myfirstapp",
      "env": {
        "PORT": 3000,
        "NODE_ENV": "production"
      "error_file": "path/to/error.log",
      "out_file": "path/to/output.log"
      "exec_mode": "fork_mode",
      "script": "path/to/app.js",
      "name": "mysecondapp",
      "env": {
        "PORT": 3001,
        "NODE_ENV": "production"
      "error_file": "path/to/error.log",
      "out_file": "path/to/output.log"

Let me know, what you find.

oh i see, that was great idea. Thank you!


Usually we do a reverse proxy configuration. PHP also allows this kind of configuration.

As Muhammad told you, PM2 is (afaik) the way to go


But you could do without pm2 too.

Thanks for the response Jorge, i dorecommended pm2 because if the process fails of some error it just restarts it. Hope you'd agree

hello, thank you for make it clear

as you can see here

<VirtualHost *:80>
    ProxyPreserveHost On

    ProxyPass /
    ProxyPassReverse /

it only run one service, my company is SaaS so probably in one vps there will be tens of different project and to run different project with manual port handling will take more time


I think it's interesting that we haven't mentioned that PHP (typically) runs in the context of a larger web server, and that NodeJS does not. In my experience Node applications typically provide a web server (like Express) and are then proxied through a webserver that serves a larger site, like Nginx or Apache.

Perhaps this is why we see many Node applications outside of a web server (command line tools, console utilities, etc.) and rarely see PHP being used for much aside from websites.

I'm not sure that NodeJS is all that much faster than PHP. While I suspect that NodeJS code might be faster at certain tasks, I suspect that PHP will be more performant in general.


Usually, the bottleneck is not the language but the database, followed by the framework. For example, it is possible to program a superb website on C++ (yes, it is still possible using fastcgi+), but it still could be slow because of the database.

It is the point:

We don't want to scale logic but data.


I agree but what can you say... Its just how it goes and how it has gone with perception


Gosh. I would pick php at any time of day. Node.js isn't made for large projects...
Who think php is trash and insecure are just stupid and never learned how to work with php or any other server side lang.
Good luck with js back end.lol.
I cant read this comment section...


Nodejs isn't made for large projects? Who are you kidding?
You just sound like my college who's afraid to learn something new because it goes beyond your area of expertise.
There's a reason mostly every company moves from PHP to Nodejs or .NET.
TS + Node is far superior than PHP.


Btw I have basics with node.js socket.io and Iam quite good at net. I wrote realtime pos system on it, but I would not use node where I dont need(I mean execute exit process software).


Thank you very much for highlighting this


A week ago I started learning Node and I feel myself in my plate). First step was ExpressJs. It's cool tool, but Restify is better for me. In my opinion, Node is better for me (Cause I've moved to backend from frontend and it was not painful)


PHP and Node attempt to solve the same problem from different points of view. PHP considers the server-first perspective while node considers the client-first perspective (generally speaking). Node has the advantage of having a larger common (COMMON) user base and the disadvantage of being a bigger target for abuse. PHP libs have been around a long time and are less likely to have new hacks against them but have a history of exploits because of managing applications.

Before I get flamed! ....

I agree that anything you want to do in php is also possible via node. Javascript is simply more popular in hireing circles etc. PHP is considered a downtrend technology because of it's limitations relative to (server side) python, etc. IMHO PHP perceived limitations don't make it better or worse than javascript -just different.

I guess the point I'm trying to make is that if I inherited a PHP project I wouldn't bother to force it to be node based unless necessary. Otherwise I'd probably start a new project with node (or python depending on the situation).


Agreed, this is a debate that needs a common answer because as 2 or more devs get together that first think comping out is PHP vs Node.


I think the comparism isn't fair enough. PHP is a programming language while Node isn't. Node is a runtime environment to run Javascript on the backend. So any comparism between the two will be off context.
Each language has its strengths and weaknesses that is why I hate to compare languages.
If the language isn't relevant anymore then you won't find it around.


I know I'm playing with fire here so please keep in mind that starting and endless discussion is not my intention.

I prefer PHP over Javascript. They are both programming languages and choosing one over the other is a mater of personal preference. People keep mentioning Node.js but that's a runtime for javascript with mod_php being the same equivalent for php interpreter in Apache. They are made for different purposes; Node.js apps are standalone apps which are better suited for persistent long lasting connections for example, while php is meant for exec-and-exit situations like single page renderings, etc. I have even written shell scripts in php just because syntax is more to my liking than bash.

You could also do a long running apps, persistent connections and numerous other insane endeavours with php, but maybe with a lot more effort than doing the same thing in Node.

Once again, I am not a fan of Javascript but have used it on both client (React) and server (Next). Beginners will for sure find asynchronous Node programming much harder than php. I don't understand how php syntax if more complicated than javascript 🤔

PHP is constantly being updated and has come a long way and although It's been a while since I last used it, I'm sure the security issues are much less frequent nowadays.

Maybe I'm just biased since php was my first web language, but it deserves some respect and it certainly doesn't deserve all the flame coming from javascript-only developers.

Anyone remember Tomcat App Server? 😉


Node is great for prototyping any type of application, PHP is great for templates.

You might have wrongly tagged this with #docker though its good advice to run your projects inside containers as there have been some trojans in NPM packages which won't be very effective when running in a container. if you use node please make sure you know who made your dependencies and transient dependencies, you are trusting them! Also always set your dependencies to fixed versions and use package-lock.json!


I still find setting up a PHP server not as easy and straightforward as a Node server. Is that true for most of you?


Depends if you build it up from a bare nude OS or not. Anyway I never set up a NodeJS capable web server, only did it for PHP and it was as easy as chaining commands. Got my website up and running, set up some cron for my Laravel Queue jobs, just a breeze.

Also have the same experience with a Xampp local config (and thinking on switching to Docker containers for my next project).


I think it really depends on what environment you are setting up. There are many scripts now written to single install all what you need, it does come with extra but you get past the headache.


Cool. Thanks for the clarification.


with help of Docker now this should be easy


Any Go developers having a laugh here?? xD


I'm a 2 year old Node.js dev & a 5 year old Php dev. I think what makes a good programming language is it's ability to attract programmers & consequently make them stay.
That's Node.js for me.
Note: learning node.js from a php background is challenging @ first because it has somewhat completely new concepts but once you get the hang of it you'll realize there's a module for almost anything you want.


I find PHP's syntax to be very confusing when compared to other modern, programming languages.


How is its confusing I just fail to understand if know java and c/c++ php is just the same


Using arrows instead of periods was enough to confuse me. lol


NodeJS. VS Poorly Heat Pattern!
Null or defines equal VS PHP


I agree with you... but i tired press $ on keyboard for variable... unless you...

and you got lot of discussion when you try make post about 'node vs php'

Code of Conduct Report abuse