Delphi for PHP first impressions

I tried out Delphi for PHP for the first time this weekend.

Install on Vista was smooth. The setup installs its own copy of Apache 2 and PHP 5. A few minutes later and I was up and running.

The IDE is Delphi-like. Here is a scrunched-up image to give you a flavour:


I have a standard application I build when trying out a new development tool. It is a to-do list with a listbox, a textbox, and buttons to add and remove items from the list. I started well, and soon had the controls placed, though they are tricky to line-up nicely. I resorted to setting the Left property as the snap-to-grid did not work for me.

Then I double-clicked the Add button. As expected, I was greeted with an empty Click handler. What to type? After a little experimentation I came up with this:


When you type ->, the editor pops up autocomplete choices. Nice. I clicked the run button and the application opened in my web browser. I set a breakpoint on the line; that worked nicely, especially after I displayed the Locals window so I could see the value of variables.

The next step is to implement removing an item. This is fractionally more challenging (I realise this is little more than Hello World), since I need to retrieve the index of the selected item and then work out how to remove it.

I am embarrassed to admit that it took me some time. Yes, I tried the documentation, but it is terrible. Unbelievably bad. Someone ran a thing called Doc-O-Matic over the code. Here’s the entire description of the ListBox control:

A class to encapsulate a listbox control 

There’s also a reference which lists methods, again with a one-line description if you are lucky. Here’s the one for ListBox.getItems:

This is getItems, a member of class ListBox.

I gave up on the docs. I had figured out AddItem; I had discovered that the itemindex property has the index of the selected item; but there is no RemoveItem or DeleteItem. I went back to basics. The ListBox has an _items member field which is an array. In PHP you remove an item from an array with unset. I resorted to editing the VCL for PHP by adding a RemoveAt method to CustomListBox:

function RemoveAt($index)

Note that I am not proposing you do the same. There must be a better way to do this. I just couldn’t work it out quickly from the docs; and I was determined to get this up and running.

Here’s my code for removing an item:

$selindex = $this->lstItems->itemindex;

if ( $selindex > -1)

Now my app worked fine. What about deployment? I used the deployment wizard, which essentially copies a bunch of files into a directory, ready for upload. There are a lot. 44 files to be precise, mostly of course the VCL for PHP. Still, it was painless, and you can configure a web server to share these files between different applications.

All I needed to test it was a web server running PHP 5.x (it will not work with PHP 4). Fortunately I had one available, so I uploaded my first Delphi for PHP application. It looked good, but although it worked on my local machine, the deployed app throws an error when you click a button:

Application raised an exception class Exception with message ‘The Input Filter PHP extension is not setup on this PHP installation, so the contents returned by Input is *not* filtered’

I note that this user has the same problem. My hunch is that Delphi for PHP requires PHP 5.2 – I only have 5.1 at the moment.*

In addition, I don’t like the way the default deployment handles errors, by publishing my callstack to the world, complete with the location of the files on my web server.

How secure are all these VCL for PHP files anyway? What assurance do I have about this? Will they be patched promptly if security issues are discovered?

Important questions.

There will be plenty more to say about Delphi for PHP. For the moment I’m reserving judgment. I will say that the release looks rushed, which is a shame.

Update: I’ve now seen a fix posted to the Borland newsgroups for the input filter exception, showing how to remove the code which raises it. However I suggest you do not apply this fix, for security reasons, unless you are deploying on a trusted intranet. It is vital to sanitize PHP input on the internet.

*PHP 5.2 is not the answer. It could even be a problem. Delphi for PHP ships with PHP 5.1. There is an input filter extension which you can add for PHP 5.x; see However these are built into PHP 5.2; but the version used by VCL for PHP is old and seems to be incompatible. What a mess.

Technorati tags: , , ,

35 thoughts on “Delphi for PHP first impressions”

  1. Hey Tim,

    I tend to agree with you on the lack of documentation. I wrote about it briefly on my blog

    I was a bit frustrated (being more of a noob) by the lack of info coming with the product. Hopefully Codegear will get something better together, or some new books will be coming out soon. For now I guess the web and the VCL Reference at Sourceforge are it.

    I will be trying out your test app tutorial this week. So far I have used the dbgrid and the paginator.

  2. Hi Tim,

    nice article that seconds my first impressions… When I tried fiddling with a treeview I had to go into the VCL files to add a function that is called from somewhere else in the VCL, but simply isn’t present (go think…).

    I am not sure about security of VCL4PHP. From reading the Borland newsgroups, I am about to get the impression that this will be a “hey, the VCL is open source – fix it yourself” kind of thing. Same goes for the documentation I fear…

    I have fought for a day to get a working app that filters records in a dbgrid on a selection done in a treeview – forget about it, not possible. I got it “almost” working in Firefox, but then it failed miserably in IE.

    The VCL seems to have big fundamental problems – i.e. when change the “BasicAjax” example to leave the button alone and only change the label, the buttons “OnBeforeShow” event is still called… Why?


  3. Hi.

    My name is adler medrado and i own the blog ( that you pointed to in your post.

    The problem that i’ve found on the deployment is that the vcl uses the filter extension, but the version that it uses is older, so some functions doesn’t more exists on this extensions. I am using PHP 5.2 and the filter extension that i am using is not compatible. You can test your deploy only commenting the line 226 of the file

    Sorry for my english, it is not so good and i hope this help you and your readers!

    best regards,

    adler medrado

  4. Thanks Adler.

    Frankly it looks like a mess to me. There is this note in the readme:

    The first release of the VCL for PHP does not provide pure PHP input filtering. That feature will be added in the open source project.
    If you try to access user input without having the Input Filter extension set up, an exception is raised to remind you it needs to be set up. You have two options: Set up the extension or delete the exception being raised from the VCL code.

    It is all very well talking about “having the Input Filter extension set up”, but as you say there are several versions; and people using shared hosts may not be able to install PHP extensions in any case.

    Commenting line 226 looks like a very bad idea to me, for a deployment on the public internet. And displaying the callstack is poor security as well.


  5. I stumbled onto the new companion VCL site hosted by Qadram. I write about it on
    my blog. I was quite excited to see this in light of the recent discussion about the dearth of documentation. Let me know what you think. I just gazed over it but it looks like a good start.

  6. Yeah. They say that we need the filter extension, but this extension is not stable yet and some functions have changed its names.
    The class as it is now, will not work if you don’t comment the line 226 if you don’t have the correct extension installed. It is not a good idea? Yeah i think it is, but if you want to use this without the extension, you will need to do it. And about print the stacktrace, i put there because that is my local server, i don’t need to worry about security in this case. I dont show stacktraces on my production server and i don’t use the Delphi 4 PHP in serious projects. Not now at least.
    adler medrado

  7. Hi Tim,

    Nice Post.

    Can you tell me which Borland Newsgroup where you read the bug fix from. I have searched the world over and couldn’t find it.


  8. I’m having the same problem with “The Input Filter PHP extension is not setup on this PHP installation”. Any idea how to install this extension? I don’t care if it’s not a stable release, yet. I just need it to work during development. Commenting line 226 isn’t working for me.

  9. Can you tell me which Borland Newsgroup where you read the bug fix from

    Most of the discussion is in borland.public.delphiphp.non-technical


  10. I’m having the same problem with “The Input Filter PHP extension is not setup on this PHP installation”. Any idea how to install this extension? I don’t care if it’s not a stable release, yet. I just need it to work during development. Commenting line 226 isn’t working for me.

    First, commenting line 226 in system.ini.php can’t help but work; this is the line that throws the exception:

    function process($input)
    //TODO: Our own input filtering class in native PHP code
    //NOTE: Comment this line to don’t raise the exception an get the unfiltered input
    throw new Exception(“The Input Filter PHP extension is not setup on this PHP installation, so the contents returned by Input is *not* filtered”);

    So if you comment the line, you may get a different problem, but you will not get the same one.

    Second, installing the filter can be tricky. You can use PECL:, if you have full command-line access to your server, and if it is *nix. But it appears that the latest version doesn’t work with the VCL for PHP.

    Presumably these issues are why the developers are looking for a native PHP implementation.


  11. Well, you’re right in that commenting line 226 does stop the exception from being thrown, but that doesn’t mean the application works. When I comment out that line, pressing a button that has a little bit of code attached now gets me a blank page instead of the call stack and error message. No improvement.

    I’ve now tried this on a Fedora Core 6 server and I even tried it on a Windows Server today, just to see if I could get what amounts to “Hello World” to work. I’ve posted on Experts-Exchange. Nobody there knows, either.

    It’s amazing to me that this is so hard. Didn’t they test this stuff at all before shipping it? This product is totally unusable if I can’t deploy my applications.

  12. I forgot to address one point you made: I did install the PECL extensions. No change. Same error. I’m going to need extra blood pressure meds, soon.

  13. Well, you’re right in that commenting line 226 does stop the exception from being thrown, but that doesn’t mean the application works.

    Sorry, no idea at the moment. Clearly there is another problem in addition to the filter issue.


  14. If you were familiar with the VCL this would not happen.
    Do not blame Codegear for your lack of knowledge of programming.Codegear are a wonderful company with a wonderful product.

    Please everyone, buy this product since they need money to stay afloat.And email your friends to buy it too. If your company has extra budget, you should buy an extra copy of this promising product from this wonderful but sadly misunderstood company.

    Support Codegear while it is still around or it may not be around very soon !

    Buy at least one copy of Delphi for PHP despite this unreasonably negative review.

    Actually I wonder why it is so negative. I have my suspiciouns but will not post them here.

  15. Those who are using PHP 5.2x. In PHP 5.2 they added the pecl filter to PHP, so you no longer have to include it — it is compiled in by default now.

    However, they renamed one of the functions. So D4P doesn’t know that you have the filter, and can’t use it. I have a patched copy of the file on my site ( that you can download that supports both 5.1 and 5.2. I have let Jose (at Qadram know about it — so it might already be in the sourceforge by now)


  16. Rob,

    > Actually I wonder why it is so negative. I have my suspiciouns
    > but will not post them here.

    Please tell. And just to be clear:

    – This is not a review, it is first impressions
    – I know the (old) VCL intimately
    – Many of us want CodeGear to succeed, but that’s no reason to excuse what appears to be a rushed release.


  17. Well i just bouth a copy of it. And all do its not prefect im realy trilled to see that its easy for you guys to hunt bugs and even correct them (and compaining about them).
    But think of the posibilities.
    I can now atleast debug a php file and get code inside without having to learn annything (i use delphi daily) so for me its a bug plus.

    Debugging osCommerce with this is already a big thing. I have also like you played around with it to get something done my test app usaly consist of a DB grid. Now with the records limit set to 10 i never seem to get the next 20. Its probably just a matter of time before all requests are gathered and the first sales are known. On that they will surely base the need for a patch :-).

    I compile a opensource Delphi project osFinancials that links to PHP code (osCommerce and VTiger) so i get more and more the need to code in php.

    It was always a barier for me that just coding in notepad made the code far to hard to read.

    So i hope this will atleast be more efficient for me :-0

  18. If you are deploying to a site running 5.1 of PHP, this is the same version as that shipping with Delphi PHP. Check out the PHP.INI file and see how the input filter is set up. You may even be able to copy over the DLLs.

  19. @Tim: Nice write-up. It pretty much echoes my first impressions too. I am somewhat proficient with PHP, but a noob with Delphi. Delphi 4 PHP is not “there” yet, but it does show promise.

    @Nathan: Thank you for the patch. It seems to solve my problem on PHP 5.2.0. I think it reinforces the principle that updating the VCL will is a community effort. I hope that means that any security issues in future will be dealt with swiftly 🙂

Comments are closed.