Going from a framework to no-framework [closed]

Current versions of PHP5 include much of the security framework you're looking for as part of the standard library.

  • Use filter_input_array to declaratively sanitize stuff coming in from the outside.
  • Access your database via PDO with parameterized SQL to prevent SQL injection attacks.
  • Use the following PHP settings to make your site more resistant to session fixation and cookie theft:
    • session.use_only_cookies (Prevents your session token from leaking into the URL)
    • session.cookie_httponly or the httponly attribute to session_set_cookie_params() (Protects against scripts reading the session cookie in compatible browsers)
    • More suggestions and PHP example code available on Wikipedia.
    • You can also use the httponly attribute with setcookie().
  • Nothing fancier than basic templating and header-setting is required for new HTTP and HTML5 features:
    • HTTP Strict Transport Security (Helps protect against WiFi exploits.)
    • X-Frame-Options (Restrict embedding of your pages. Good against phishing.)
    • HTML5 IFrame Sandbox Attribute (Sandbox 3rd-party ads/badges/videos. Already in WebKit. Likely to be at least partially implemented in Firefox 11.)
    • Content Security Policy (Firefox 4's new security framework, complimentary to the sandbox attribute. Now also being implemented in Chrome.)

If you're accepting HTML as input, I recommend grabbing HTML Purifier and calling it via a FILTER_CALLBACK line in your filter_input_array setup. Its whitelist-based approach to input security makes a great (and very powerful) first line of defense against XSS.

As far as I can tell, PHP doesn't come with a mechanism for protecting against cross-site request forgery, but I'm sure Google can help you with that one. The OWASP Security Cheatsheets include a section on it if you want to implement your own protection.

Out of curiosity, I decided to also start looking at standalone components and here's what I've found so far:

Templating:

  • PHP Template Inheritance (Regular PHP plus template inheritance)
  • TWIG (Django/Jinja2/Liquid-style syntax including autoescape and sandboxing. Compiles to cached PHP for speed.)
  • Dwoo (A faster, more featureful, PHP5-ish successor to Smarty. Includes a compatibility system for existing Smarty templates.)

Stuff I still haven't looked into properly:

  • Route dispatching (Only found RouteMap and Net_URL_Mapper so far. Thanks, cweiske.)
  • ORM (Just in case bare PDO isn't your thing)

I don't believe in frameworks... I have worked in many of them.

Reasons for hating MVC frameworks:

1) Code bloat, I purchase premium classes that assist me in development. Such as form classes or SQL classes.

2) I believe that MVC frameworks are not easily portable especially when using dependency managers.

3) I believe that you actually write more code with a MVC framework then if you had to use a boilerplate with a ton of useful classes that handle authentication etc.

4) Most frameworks also cater for just one or two databases natively.

I would suggest finding a form framework with authentication and text editor & a sql framework like madoo + a email class...

90% of your application is always forms , sql & ajax CLASSES - the rest can just be acquired when needed

I am a minimalist and I struggle with the idea of having code in my application that is not doing anything ... just in case I need it does not work for me.


With that much experience behind you, you must have your own set of favorite libraries, hand pick them and come up with your own simple framework. Framework or no framework (and which one at that) depends on the kind of project at hand, no glove fits all. So i would strongly suggest that if you feel that the existing frameworks are slowing you down, spend sometime and come up with a framework which works as per your needs.


Based on your statement that you've been using PHP as a hobby, as well as your profile statement "Slowly getting there", this seems like a learning curve issue. You don't appear to have the depth and breadth of experience to a) understand how to work within the structure that the framework imposes and b) you are thus unable to benefit from the efficiencies that the framework enables.

I urge you to stick with it. Go back to the beginning with the video tutorials. Find and read other peoples code until you understand it. Build your projects from the bottom up - start simply, and add functionality. Follow the forums, trying to answer questions yourself before reading replies.

I've been programming professionally for almost 20 years, across a variety of platforms, and it still took me a while to become comfortable with CI. But now that I am, I wouldn't go back to pure PHP (for my own projects) unless I had a site of sufficient scale that it exposed quantifiable performance issues (think Twitter).


Zend Framework is really super for that. You can use as much or as little as you want. Its all coded in php and open sourced so you can just hack at it and make it your own. The different component are not dependant on eachothers as much as in other frameworks.

You could build yourself a simple framework using some components from Zend without any problems.

Check it out!