Most PHP teams using out-of-date deployments, Zend’s annual survey finds

Well over half of PHP teams are using a version of the scripting language that should RIP, lest it potentially expose their applications to security vulnerabilities, according to Zend’s 2023 PHP Landscape Report.

Just shy of 62% of the 651 respondents to the annual Zend survey reported using at least one of the PHP versions that predate PHP 8.0, the oldest version still receiving security updates. The preceding version, PHP 7.4, lost official support last year and is still being used by 54.2% of PHP teams.

Matthew Weier O’Phinney, product manager and principal engineer at Zend, told IT Brew that development teams running applications on potentially insecure older versions of PHP have a choice. They can either find a commercial vendor for security updates—like a Linux distribution or firm that provides long-term support binaries—or upgrade. The latter path just isn’t always practical thanks to PHP’s rapid development cycle, he added.

“Every minor version tends to add in deprecations, and those deprecations often have some subtle, backwards compatibility issues,” O’Phinney said. “So, it’s quite difficult for companies to try and stay on top of those every single year. We’ve seen it can be as easy as a few hours [or] it could be monthslong migrations for them to do these.”

Rather than dealing with deprecation, teams may encounter hard errors and be forced into “substantial refactoring of their applications,” O’Phinney added.

Zend didn’t ask whether the end-of-life PHP versions being used in all these applications are receiving third-party support, so it’s unclear how much risk is actually being taken on.

Developers reported enjoying working with and finding it easy to learn PHP at high rates in the survey, although the only negative response was regarding the sentiment that PHP is “evolving too slowly.” According to O’Phinney, that’s related to longstanding debate about the pace of change in PHP—while users want new features, frequent updates can force developers to commit resources they’d rather put towards building out their apps.

“A couple of people have suggested maybe there needs to be, periodically, an LTS version of PHP that the community maintains,” O’Phinney added. “The problem that we have there is all this maintenance for release management and backporting of security patches happens at a volunteer level…While we do have initiatives such as the PHP foundation that are trying to help fund this sort of thing, the question is who is going to be responsible for that, ultimately?”

The survey shows many PHP users already spend a lot of their time on maintenance. The most time-consuming parts of upgrading between versions, respondents said, were refactoring (37.8%), testing (33.4%), infrastructure provisioning (12%), planning (11.6%), and compliance renewals (5.2%).

According to O’Phinney, other big findings in the report were that Amazon Web Services surpassed on-premises as the most common PHP deployment target—with on-premises dipping dipping 10% year over year—and that adoption of containers is skyrocketing.

“The interesting part about PHP is it scales horizontally. So, if you need more scale, you throw more servers at it,” O’Phinney said. “You can just take it down, you’re instantly saving money. When you need to, you scale it up and you throw more servers at it. That’s really easy to do on the cloud.”—TM

Do you work in IT or have information about your IT department you want to share? Email [email protected]. Want to go encrypted? Ask Tom for his Signal.