Going from a framework to no-framework
I've been developing in PHP for about 8 years as a hobby. In 2009, I picked up codeigniter and since then I've not managed to get a single project developed.
I find it slows me down trying to work out how to modify it to work the way I want, when if I was working in pure PHP, I'd know, or I'd be able to quickly find a snippet for.
I've tried CodeIgniter, Kohana and Symfony. I love the ease of use (and I've also started using doctrine as an ORM which massively sped up my database work), but I find projects are taking me 3-4 times the amount of time it took in pure PHP. I get bored and frustrated when I can't find a solution to a problem I've previously solved in pure PHP.
Has anyone gone back from using frameworks to a no-framework approach. Is there anything like a basic security framework (prevent XSS, filter posted data, provide a cleaning function for use with databases)? I think something like that would benefit me much more than a full scale framework. I think learning to work with frameworks has taught me a lot, but I'd be happier working with my own code.
Answer
Current versions of PHP5 include much of the security framework you're looking for as part of the standard library.
- Use filter_input_array to declaratively sanitize stuff coming in from the outside.
- Access your database via PDO with parameterized SQL to prevent SQL injection attacks.
- Use the following PHP settings to make your site more resistant to session fixation and cookie theft:
- session.use_only_cookies (Prevents your session token from leaking into the URL)
- session.cookie_httponly or the
httponlyattribute to session_set_cookie_params() (Protects against scripts reading the session cookie in compatible browsers) - More suggestions and PHP example code available on Wikipedia.
- You can also use the
httponlyattribute with setcookie().
- Nothing fancier than basic templating and header-setting is required for new HTTP and HTML5 features:
- HTTP Strict Transport Security (Helps protect against WiFi exploits.)
- X-Frame-Options (Restrict embedding of your pages. Good against phishing.)
- HTML5 IFrame Sandbox Attribute (Sandbox 3rd-party ads/badges/videos. Already in WebKit. Likely to be at least partially implemented in Firefox 11.)
- Content Security Policy (Firefox 4's new security framework, complimentary to the sandbox attribute. Now also being implemented in Chrome.)
If you're accepting HTML as input, I recommend grabbing HTML Purifier and calling it via a FILTER_CALLBACK line in your filter_input_array setup. Its whitelist-based approach to input security makes a great (and very powerful) first line of defense against XSS.
As far as I can tell, PHP doesn't come with a mechanism for protecting against cross-site request forgery, but I'm sure Google can help you with that one. The OWASP Security Cheatsheets include a section on it if you want to implement your own protection.
Out of curiosity, I decided to also start looking at standalone components and here's what I've found so far:
Templating:
- PHP Template Inheritance (Regular PHP plus template inheritance)
- TWIG (Django/Jinja2/Liquid-style syntax including autoescape and sandboxing. Compiles to cached PHP for speed.)
- Dwoo (A faster, more featureful, PHP5-ish successor to Smarty. Includes a compatibility system for existing Smarty templates.)
Stuff I still haven't looked into properly:
- Route dispatching (Only found RouteMap and Net_URL_Mapper so far. Thanks, cweiske.)
- ORM (Just in case bare PDO isn't your thing)