I’ve been developing in PHP for about 8 years as a hobby. In 2009, I picked up codeigniter and since then I’ve not managed to get a single project developed.
I find it slows me down trying to work out how to modify it to work the way I want, when if I was working in pure PHP, I’d know, or I’d be able to quickly find a snippet for.
I’ve tried CodeIgniter, Kohana and Symfony. I love the ease of use (and I’ve also started using doctrine as an ORM which massively sped up my database work), but I find projects are taking me 3-4 times the amount of time it took in pure PHP. I get bored and frustrated when I can’t find a solution to a problem I’ve previously solved in pure PHP.
Has anyone gone back from using frameworks to a no-framework approach. Is there anything like a basic security framework (prevent XSS, filter posted data, provide a cleaning function for use with databases)? I think something like that would benefit me much more than a full scale framework. I think learning to work with frameworks has taught me a lot, but I’d be happier working with my own code.
Current versions of PHP5 include much of the security framework you’re looking for as part of the standard library.
httponlyattribute to session_set_cookie_params() (Protects against scripts reading the session cookie in compatible browsers)httponlyattribute with setcookie().If you’re accepting HTML as input, I recommend grabbing HTML Purifier and calling it via a FILTER_CALLBACK line in your filter_input_array setup. Its whitelist-based approach to input security makes a great (and very powerful) first line of defense against XSS.
As far as I can tell, PHP doesn’t come with a mechanism for protecting against cross-site request forgery, but I’m sure Google can help you with that one. The OWASP Security Cheatsheets include a section on it if you want to implement your own protection.
Out of curiosity, I decided to also start looking at standalone components and here’s what I’ve found so far:
Templating:
Stuff I still haven’t looked into properly: