Just try pulling data from a database and inserting it into a page on a way that is vulnerable to XSS in Django, Jinja, or Rails. You obviously can do it, but I bet you'll need to spend half an hour reading the documentation before you succeed.
The same happens for SQL injection, and session management issues, and a huge amount of other problems.
Sure you could separate PHP the language from PHP the processing instruction and PHP the standard lib. But PHP calls itself a "hypertext preprocessor" (it's in the name) and PHP's own intro (literally on page 1, sentence 1, cf. [1]) advertises web templating as its distinguishing feature. So I think it's fair to compare PHP against other HTML generators.
So, regarding the parent, I was pointing to PHP being more of a language and less of a "web framework" which I don't believe you address at all. As for web templating and such
> PHP (recursive acronym for PHP: Hypertext Preprocessor) is a widely-used open source general-purpose scripting language that is especially suited for web development and can be embedded into HTML.
I would focus on the core statement of the sentence which is "is a widely-used open source general-purpose scripting language". Comparing PHP to other HTML generators (re re re? parent: Django, Jinja, Rails) leaves out the entire concept of "general-purpose scripting language" and only focuses on "embedded into HTML" which while a main feature isn't the whole of it.
And I'm pointing out that treating PHP as a framework is not a "flaw in argumentation". The default installation of PHP gives you a setup that parses HTTP requests and returns HTTP responses, and provides a bunch of web-centric functionality in between. ie. it's a web framework, albeit not a very good one.
> Correct me if I am wrong, but so does Node, Ruby, Python, etc.
I think Node is also a framework, although there seems to be some controversy about this[1]. Ruby and Python give you standard libraries from which you can build a web server or templating engine or whatever, but it would be weird to say that made them Web Frameworks. Maybe things have changed, but last I knew PHP had a command line switch that tells it to not act like a web framework, because that is its default mode of operation. But you're right that it's been a few years.
I don't think I'm jumping on a hate bandwagon, but I am succumbing to someone-is-wrong-on-the-internet syndrome, which I know to be a mistake.
Although I can't resist asking - are you saying PHP is a good web framework? How does that fit with the idea that PHP is not a web framework?
I think we have different definitions of frameworks. So no point in arguing over that.
> Maybe things have changed, but last I knew PHP had a command line switch that tells it to not act like a web framework
I honestly don't even know about a command line switch. I just write my script and execute it with the CLI (php test.php)
> I am succumbing to someone-is-wrong-on-the-internet syndrome
Please tell me this has a name
> Although I can't resist asking - are you saying PHP is a good web framework? How does that fit with the idea that PHP is not a web framework?
Not sure you exact intent, but as far as PHP being a good language to write a web application in, sure, it can be. IMO, it depends on the application and use of the application.
You would have a point the frameworks you provided had that kind of protection by default (or if you could at least enable it project-wide), and if PHP development were mostly done on them, instead of wordpress and drupal.
Besides, there's more to security than SQL injections and XSS. The PHP tooling is overflowing with bad practices.
Take a look again. Each of those Frameworks is using a template engine which is escaping any ouput by default.
If you do not need escaping, you have to opt-out for single outputs.
Just try pulling data from a database and inserting it into a page on a way that is vulnerable to XSS in Django, Jinja, or Rails. You obviously can do it, but I bet you'll need to spend half an hour reading the documentation before you succeed.
The same happens for SQL injection, and session management issues, and a huge amount of other problems.