There are tons of beautiful PHP apps out there, most of them plagued with serious security holes because most programmers learn from example and most PHP examples to be found on the net are badly flawed.

I tend to agree that it’s possible to write crappy code in any language, but PHP seems to have more than its fair share. Some people claim this is because it’s so popular and I’m sure that’s part of it, but I’ll assert that it has more security holes per deployment than any other language. Worse, most of them are SQL injection and remote code execution exploits.
I attribute this partially to poor ideas in PHP’s implementation (certain settings in php.ini were patently bad ideas), but mostly I attribute it to poor examples for others to learn from. If you don’t want to teach well, then don’t teach. If you make a mistake, don’t make excuses, fix it.

Now as for your claim that ‘amfphp is a framework’, I want to stress that this is false. Amfphp is, and will always be, a Remoting gateway, that exposes vanilla php classes to the outside, enforcing security. One of amfphp’s design goals was that you could integrate it with whatever you’re currently using, so you don’t have to learn to code again. Most amfphp examples onlines use plain mysql, because that’s what a lot of people use in PHP, and everyone’s familiar with these functions. Nothing is stopping you from using any of the other databases that amfphp supports which there days includes ADO, FrontBase, Informix, ms-sql, Oracle, generic odbc, PDO, PEAR::DB, Postgres and SQLite. There’s been nice reports on using it with Creole also.

Again, I want to stress, amfphp is not a framework. The fact that it can be used as a module in Cake (a Rails clone for PHP) proves it. Note that amfphp’s approach is not universal. People who wanted a cleaner API and a more ‘frameworky’ approach created SabreAMF. I talked to the developer to get him to work in amfphp instead and it turned out that our goals were irreconcilable. This will allow amfphp-enabled classes (that is, classes that set a methodTable) to be used as JSON services for JavaScript, or for XML-RPC, or to generate SOAP services, etc.

Comparing PHP-the-language to any other language is silly anyway, because PHP includes the kitchen sink and the house to go with it as far as built-in functions and extensions go.

PHP also does a very bad job at choosing how to expose what it offers. It makes it hard, or at least non-obvious, to write correct code. EVERY SINGLE DATABASE QUERY in the cited example is susceptible to SQL injection attack, where people simply don’t write shit code like that in environments that offer a sane means of SQL quoting. Since everything else is already there, it encourages people to just use the raw MySQL API calls rather than bringing in an abstraction. That’s also stupid because it takes 5x more code to do all the quoting by hand. People are too lazy to bother with that, so they develop big festering security holes like this one. Even worse, this is example code that people will cut and paste into their own applications. PHP programming is a disease.

Anyhow, TG is actually doing very little in this case besides providing a buzzword and easy means of getting up and running. TG is serving as shim for CherryPy to make HTTP requests transactional with the database, and as a script to create the SQL tables. It also ensures that SQLObject and CherryPy are known to be installed.

It could’ve been written as raw Python with BaseHTTPServer (or CGI) and the minimum DB-API wrapper in the same amount of code, but that’s stupid and it’s not the point of lesscode. Abstractions that work are good.

(Sorry I did use J2EE in my previous job, and understood the complexity also gives it lots of flexibility)

My point is, your 117 lines of Python code simply won’t work without TurboGears. TG basically takes care all the complexity so that you can write “less code”, but as Mr Coffee has suggested you can also write less code with appropriate framework in Java. It doesn’t include database schema either — it includes an object relation mapping that doesn’t work well if another application written in another language also needs to access the same database.

And the PHP example? It does everything (DB connectivity, SQL query, etc) WITHOUT a framework to build on.

So IMHO, the comparison is flawed.

The Python version is about 85 lines for all that when using long lines and without all the newlines introduced specifically for readability’s sake.

Coffeetime.