I've been developing in PHP for about 8 years as a hobby. In 2009, I picked up codeigniter and since then I've not managed to get a single project developed.
I find it slows me down trying to work out how to modify it to work the way I want, when if I was working in pure PHP, I'd know, or I'd be able to quickly find a snippet for.
I've tried CodeIgniter, Kohana and Symfony. I love the ease of use (and I've also started using doctrine as an ORM which massively sped up my database work), but I find projects are taking me 3-4 times the amount of time it took in pure PHP. I get bored and frustrated when I can't find a solution to a problem I've previously solved in pure PHP.
Has anyone gone back from using frameworks to a no-framework approach. Is there anything like a basic security framework (prevent XSS, filter posted data, provide a cleaning function for use with databases)? I think something like that would benefit me much more than a full scale framework. I think learning to work with frameworks has taught me a lot, but I'd be happier working with my own code.
Current versions of PHP5 include much of the security framework you're looking for as part of the standard library.
- Use filter_input_array to declaratively sanitize stuff coming in from the outside.
- Access your database via PDO with parameterized SQL to prevent SQL injection attacks.
- Use the following PHP settings to make your site more resistant to session fixation and cookie theft:
- session.use_only_cookies (Prevents your session token from leaking into the URL)
- session.cookie_httponly or the
httponlyattribute to session_set_cookie_params() (Protects against scripts reading the session cookie in compatible browsers)
- More suggestions and PHP example code available on Wikipedia.
- You can also use the
httponlyattribute with setcookie().
- Nothing fancier than basic templating and header-setting is required for new HTTP and HTML5 features:
- HTTP Strict Transport Security (Helps protect against WiFi exploits.)
- X-Frame-Options (Restrict embedding of your pages. Good against phishing.)
- HTML5 IFrame Sandbox Attribute (Sandbox 3rd-party ads/badges/videos. Already in WebKit. Likely to be at least partially implemented in Firefox 11.)
- Content Security Policy (Firefox 4's new security framework, complimentary to the sandbox attribute. Now also being implemented in Chrome.)
If you're accepting HTML as input, I recommend grabbing HTML Purifier and calling it via a FILTER_CALLBACK line in your filter_input_array setup. Its whitelist-based approach to input security makes a great (and very powerful) first line of defense against XSS.
As far as I can tell, PHP doesn't come with a mechanism for protecting against cross-site request forgery, but I'm sure Google can help you with that one. The OWASP Security Cheatsheets include a section on it if you want to implement your own protection.
Out of curiosity, I decided to also start looking at standalone components and here's what I've found so far:
- PHP Template Inheritance (Regular PHP plus template inheritance)
- TWIG (Django/Jinja2/Liquid-style syntax including autoescape and sandboxing. Compiles to cached PHP for speed.)
- Dwoo (A faster, more featureful, PHP5-ish successor to Smarty. Includes a compatibility system for existing Smarty templates.)
Stuff I still haven't looked into properly:
Based on your statement that you've been using PHP as a hobby, as well as your profile statement "Slowly getting there", this seems like a learning curve issue. You don't appear to have the depth and breadth of experience to a) understand how to work within the structure that the framework imposes and b) you are thus unable to benefit from the efficiencies that the framework enables.
I urge you to stick with it. Go back to the beginning with the video tutorials. Find and read other peoples code until you understand it. Build your projects from the bottom up - start simply, and add functionality. Follow the forums, trying to answer questions yourself before reading replies.
I've been programming professionally for almost 20 years, across a variety of platforms, and it still took me a while to become comfortable with CI. But now that I am, I wouldn't go back to pure PHP (for my own projects) unless I had a site of sufficient scale that it exposed quantifiable performance issues (think Twitter).
I don't believe in frameworks... I have worked in many of them.
Reasons for hating MVC frameworks:
1) Code bloat, I purchase premium classes that assist me in development. Such as form classes or SQL classes.
2) I believe that MVC frameworks are not easily portable especially when using dependency managers.
3) I believe that you actually write more code with a MVC framework then if you had to use a boilerplate with a ton of useful classes that handle authentication etc.
4) Most frameworks also cater for just one or two databases natively.
I would suggest finding a form framework with authentication and text editor & a sql framework like madoo + a email class...
90% of your application is always forms , sql & ajax CLASSES - the rest can just be acquired when needed
I am a minimalist and I struggle with the idea of having code in my application that is not doing anything ... just in case I need it does not work for me.
With that much experience behind you, you must have your own set of favorite libraries, hand pick them and come up with your own simple framework. Framework or no framework (and which one at that) depends on the kind of project at hand, no glove fits all. So i would strongly suggest that if you feel that the existing frameworks are slowing you down, spend sometime and come up with a framework which works as per your needs.
Zend Framework is really super for that. You can use as much or as little as you want. Its all coded in php and open sourced so you can just hack at it and make it your own. The different component are not dependant on eachothers as much as in other frameworks.
You could build yourself a simple framework using some components from Zend without any problems.
Check it out!
For basic security, I use a custom filter method that wraps up my superglobals. Its syntax needs some getting used to, but is simpler than the PHP filter_var() API and doesn't let you slip sanitization:
$_GET->text("inputvar") or $_POST->name["field"]
It also allowed inline $_REQUEST->sql() escaping. But for database work keep using parameterized SQL, or your DAL/ORM of choice.
I did a one day study of ToroPHP and found it quite nice. It is a minimalist framework targetted to RESTful applications. This makes it possible to keep the server side code modular, without having to deal with bloat of any framework.
I don't know what is troubling you but codeigniter is a great framework.It has nice documentation and since lots of people use codeigniter you will find all the help in its documentation,or forum or on stackoverflow.I have worked on many frameworks (Codeigniter,CakePHP,Zend,Spring 3.0, Ruby on Rails),but I must say codeigniter has the best documentation.There are lot of things in codeigiter which are automatically handled and you don't have to worry about security. Working on core PHP is like re-inventing the wheel. Well the most important thing is that moving from a core to framework will need lots of your effort once you are used to it, you will start loving it.Also Ruby on rails is also a great framework once you know its ins and outs you can have double speed.
I Know exactly the way you feel. I started 4~5 years ago in PHP (I came from Delphi, lol), and started in pure php. What I had back them was a "CMS Panel like" wich just read all tables fields and create the form. After sometime I reached somehow in the knowledge of PHP Frameworks, I tried CakePHP for first and didn't liked, after, got into Yii wich in my opinion is pretty intuitive and easy-use (With it's Gii generator it rocks pretty much). I Tried Symfony, ZF2, Laravel, Yii2-Beta and some frameworks for RAD, but still I wasn't feeling fast enough like before the frameworks.
Happened that I developed my own framework (It was naturally, not exactly that I woke up some day and said "I'm going to create a new framework", happened with the time) . I Know it's a bad bad bad practice and "wheel reinvention" move, BUT, I now develop my projects much faster (more than PHP only).
Since it's code is a total MESS, I started about one month ago to reformulating my framework, now it uses composer, follows common rules that exists between the php frameworks, is MVC.
Why I'm reformulating ? Because if someone needs to repair a project of mine it will not be a another world thing.
So I Understand you.
My Advice is, prepare your tools (call it a framework, a preset-app or whatever people names it), and use it the way you feel better, but still follow some common rules (Like MVC, "easy to module" things wich you can replace in case of broken.