Going from a framework to no-framework [closed]

Question

I've been developing in PHP for about 8 years as a hobby. In 2009, I picked up codeigniter and since then I've not managed to get a single project developed.

I find it slows me down trying to work out how to modify it to work the way I want, when if I was working in pure PHP, I'd know, or I'd be able to quickly find a snippet for.

I've tried CodeIgniter, Kohana and Symfony. I love the ease of use (and I've also started using doctrine as an ORM which massively sped up my database work), but I find projects are taking me 3-4 times the amount of time it took in pure PHP. I get bored and frustrated when I can't find a solution to a problem I've previously solved in pure PHP.

Has anyone gone back from using frameworks to a no-framework approach. Is there anything like a basic security framework (prevent XSS, filter posted data, provide a cleaning function for use with databases)? I think something like that would benefit me much more than a full scale framework. I think learning to work with frameworks has taught me a lot, but I'd be happier working with my own code.

Answer 1

Current versions of PHP5 include much of the security framework you're looking for as part of the standard library.

• Use filter_input_array to declaratively sanitize stuff coming in from the outside.
• Access your database via PDO with parameterized SQL to prevent SQL injection attacks.
• Use the following PHP settings to make your site more resistant to session fixation and cookie theft:
  • session.use_only_cookies (Prevents your session token from leaking into the URL)
  • session.cookie_httponly or the httponly attribute to session_set_cookie_params() (Protects against scripts reading the session cookie in compatible browsers)
  • More suggestions and PHP example code available on Wikipedia.
  • You can also use the httponly attribute with setcookie().
• Nothing fancier than basic templating and header-setting is required for new HTTP and HTML5 features:
  • HTTP Strict Transport Security (Helps protect against WiFi exploits.)
  • X-Frame-Options (Restrict embedding of your pages. Good against phishing.)
  • HTML5 IFrame Sandbox Attribute (Sandbox 3rd-party ads/badges/videos. Already in WebKit. Likely to be at least partially implemented in Firefox 11.)
  • Content Security Policy (Firefox 4's new security framework, complimentary to the sandbox attribute. Now also being implemented in Chrome.)

If you're accepting HTML as input, I recommend grabbing HTML Purifier and calling it via a FILTER_CALLBACK line in your filter_input_array setup. Its whitelist-based approach to input security makes a great (and very powerful) first line of defense against XSS.

As far as I can tell, PHP doesn't come with a mechanism for protecting against cross-site request forgery, but I'm sure Google can help you with that one. The OWASP Security Cheatsheets include a section on it if you want to implement your own protection.

Out of curiosity, I decided to also start looking at standalone components and here's what I've found so far:

Templating:

• PHP Template Inheritance (Regular PHP plus template inheritance)
• TWIG (Django/Jinja2/Liquid-style syntax including autoescape and sandboxing. Compiles to cached PHP for speed.)
• Dwoo (A faster, more featureful, PHP5-ish successor to Smarty. Includes a compatibility system for existing Smarty templates.)

Stuff I still haven't looked into properly:

• Route dispatching (Only found RouteMap and Net_URL_Mapper so far. Thanks, cweiske.)
• ORM (Just in case bare PDO isn't your thing)