Going from a framework to no-framework

Question

I've been developing in PHP for about 8 years as a hobby. In 2009, I picked up codeigniter and since then I've not managed to get a single project developed.

I find it slows me down trying to work out how to modify it to work the way I want, when if I was working in pure PHP, I'd know, or I'd be able to quickly find a snippet for.

I've tried CodeIgniter, Kohana and Symfony. I love the ease of use (and I've also started using doctrine as an ORM which massively sped up my database work), but I find projects are taking me 3-4 times the amount of time it took in pure PHP. I get bored and frustrated when I can't find a solution to a problem I've previously solved in pure PHP.

Has anyone gone back from using frameworks to a no-framework approach. Is there anything like a basic security framework (prevent XSS, filter posted data, provide a cleaning function for use with databases)? I think something like that would benefit me much more than a full scale framework. I think learning to work with frameworks has taught me a lot, but I'd be happier working with my own code.

Answer 1

With that much experience behind you, you must have your own set of favorite libraries, hand pick them and come up with your own simple framework. Framework or no framework (and which one at that) depends on the kind of project at hand, no glove fits all. So i would strongly suggest that if you feel that the existing frameworks are slowing you down, spend sometime and come up with a framework which works as per your needs.

Answer 2

Zend Framework is really super for that. You can use as much or as little as you want. Its all coded in php and open sourced so you can just hack at it and make it your own. The different component are not dependant on eachothers as much as in other frameworks.

You could build yourself a simple framework using some components from Zend without any problems.

Check it out!

Answer 3

Current versions of PHP5 include much of the security framework you're looking for as part of the standard library.

• Use filter_input_array to declaratively sanitize stuff coming in from the outside.
• Access your database via PDO with parameterized SQL to prevent SQL injection attacks.
• Use the following PHP settings to make your site more resistant to session fixation and cookie theft:
  • session.use_only_cookies (Prevents your session token from leaking into the URL)
  • session.cookie_httponly or the httponly attribute to session_set_cookie_params() (Protects against scripts reading the session cookie in compatible browsers)
  • More suggestions and PHP example code available on Wikipedia.
  • You can also use the httponly attribute with setcookie().
• Nothing fancier than basic templating and header-setting is required for new HTTP and HTML5 features:
  • HTTP Strict Transport Security (Helps protect against WiFi exploits.)
  • X-Frame-Options (Restrict embedding of your pages. Good against phishing.)
  • HTML5 IFrame Sandbox Attribute (Sandbox 3rd-party ads/badges/videos. Already in WebKit.)
  • Content Security Policy (Firefox 4's new security framework, complimentary to the sandbox attribute)

If you're accepting HTML as input, I recommend grabbing HTML Purifier and calling it via a FILTER_CALLBACK line in your filter_input_array setup. Its whitelist-based approach to input security makes a great (and very powerful) first line of defense against XSS.

As far as I can tell, PHP doesn't come with a mechanism for protecting against cross-site request forgery, but I'm sure Google can help you with that one. The OWASP Security Cheatsheets include a section on it if you want to implement your own protection.

Out of curiosity, I decided to also start looking at standalone components and here's what I've found so far:

Templating:

• PHP Template Inheritance (Regular PHP plus template inheritance)
• TWIG (Django/Jinja2/Liquid-style syntax including autoescape and sandboxing. Compiles to cached PHP for speed.)
• Dwoo (A faster, more featureful, PHP5-ish successor to Smarty. Includes a compatibility system for existing Smarty templates.)

Stuff I still haven't looked into properly:

• Route dispatching (Only found RouteMap so far)
• ORM (Just in case bare PDO isn't your thing)

Answer 4

For basic security, I use a custom filter method that wraps up my superglobals. Its syntax needs some getting used to, but is simpler than the PHP filter_var() API and doesn't let you slip sanitization:

 $_GET->text("inputvar") or $_POST->name["field"]

It also allowed inline $_REQUEST->sql() escaping. But for database work keep using parameterized SQL, or your DAL/ORM of choice.

Answer 5

Based on your statement that you've been using PHP as a hobby, as well as your profile statement "Slowly getting there", this seems like a learning curve issue. You don't appear to have the depth and breadth of experience to a) understand how to work within the structure that the framework imposes and b) you are thus unable to benefit from the efficiencies that the framework enables.

I urge you to stick with it. Go back to the beginning with the video tutorials. Find and read other peoples code until you understand it. Build your projects from the bottom up - start simply, and add functionality. Follow the forums, trying to answer questions yourself before reading replies.

I've been programming professionally for almost 20 years, across a variety of platforms, and it still took me a while to become comfortable with CI. But now that I am, I wouldn't go back to pure PHP (for my own projects) unless I had a site of sufficient scale that it exposed quantifiable performance issues (think Twitter).