Going from a framework to no-framework

Question

I've been developing in PHP for about 8 years as a hobby. In 2009, I picked up codeigniter and since then I've not managed to get a single project developed.

I find it slows me down trying to work out how to modify it to work the way I want, when if I was working in pure PHP, I'd know, or I'd be able to quickly find a snippet for.

I've tried CodeIgniter, Kohana and Symfony. I love the ease of use (and I've also started using doctrine as an ORM which massively sped up my database work), but I find projects are taking me 3-4 times the amount of time it took in pure PHP. I get bored and frustrated when I can't find a solution to a problem I've previously solved in pure PHP.

Has anyone gone back from using frameworks to a no-framework approach. Is there anything like a basic security framework (prevent XSS, filter posted data, provide a cleaning function for use with databases)? I think something like that would benefit me much more than a full scale framework. I think learning to work with frameworks has taught me a lot, but I'd be happier working with my own code.

i would love to hear more about why you said about using framework taking 3-4 times of the time compared to no-framework .. do you mind elaborating more on that? — Lukman, Sep 08 '10 at 01:52
One of the benefits of CI, or any framework, is that it forces you into design pattern that is easier for developers not accustomed to your particular development style to maintain. Also, in larger environments, separating views from logic is essential so your CSS gurus can do their thing without stepping on the developers' toes. — Kyle Noland, May 23 '11 at 23:44
Great question, if I ever have a choice, I use pure PHP. But most of the time, the people I work for want me to use a framework, so I just charge them the extra hours :) I feel like my own code is readable, well-organized and stable. Perhaps they fear having to keep you on board if a disaster occurs and all the code is in a "your-custom-framework-that-noone-else-can-read" state. — SSH This, May 10 '13 at 22:24

score 101 · Accepted Answer · edited May 23 '17 at 12:16

Current versions of PHP5 include much of the security framework you're looking for as part of the standard library.

Use filter_input_array to declaratively sanitize stuff coming in from the outside.
Access your database via PDO with parameterized SQL to prevent SQL injection attacks.
Use the following PHP settings to make your site more resistant to session fixation and cookie theft:
- session.use_only_cookies (Prevents your session token from leaking into the URL)
- session.cookie_httponly or the httponly attribute to session_set_cookie_params() (Protects against scripts reading the session cookie in compatible browsers)
- More suggestions and PHP example code available on Wikipedia.
- You can also use the httponly attribute with setcookie().
Nothing fancier than basic templating and header-setting is required for new HTTP and HTML5 features:
- HTTP Strict Transport Security (Helps protect against WiFi exploits.)
- X-Frame-Options (Restrict embedding of your pages. Good against phishing.)
- HTML5 IFrame Sandbox Attribute (Sandbox 3rd-party ads/badges/videos. Already in WebKit. Likely to be at least partially implemented in Firefox 11.)
- Content Security Policy (Firefox 4's new security framework, complimentary to the sandbox attribute. Now also being implemented in Chrome.)

If you're accepting HTML as input, I recommend grabbing HTML Purifier and calling it via a FILTER_CALLBACK line in your filter_input_array setup. Its whitelist-based approach to input security makes a great (and very powerful) first line of defense against XSS.

As far as I can tell, PHP doesn't come with a mechanism for protecting against cross-site request forgery, but I'm sure Google can help you with that one. The OWASP Security Cheatsheets include a section on it if you want to implement your own protection.

Out of curiosity, I decided to also start looking at standalone components and here's what I've found so far:

Templating:

PHP Template Inheritance (Regular PHP plus template inheritance)
TWIG (Django/Jinja2/Liquid-style syntax including autoescape and sandboxing. Compiles to cached PHP for speed.)
Dwoo (A faster, more featureful, PHP5-ish successor to Smarty. Includes a compatibility system for existing Smarty templates.)

Stuff I still haven't looked into properly:

Route dispatching (Only found RouteMap and Net_URL_Mapper so far. Thanks, cweiske.)
ORM (Just in case bare PDO isn't your thing)

Thanks, all very good advice and I'm going to start looking into them now! — Alex C, Sep 10 '10 at 04:50
Swap out Smarty for Dwoo if you need a templating engine. Featurewise it's almost identical to Smarty but doesn't melt CPU's. — Phil Sturgeon, Oct 11 '10 at 11:21
http://pear.php.net/package/Net_URL_Mapper is a route dispatcher. — cweiske, Jun 08 '11 at 20:45
If frameworks slow you down then avoid templating engines, Smarty in particular, like the plague. They mean well but they just create a new and non-intuitive way of doing something that PHP already does. — Night Owl, Aug 02 '11 at 05:39
Depends on what you're trying to accomplish and why the framework just slows you down. — ssokolow, Aug 03 '11 at 02:11
I generally agree with @NightOwl, but one alternative is [TinyButStrong](http://www.tinybutstrong.com/) - it's a template language that's more functional than imperative. Very different than ones I've seen before, and I like it much more than bare PHP, Django, or others I've tried. — Izkata, Mar 13 '13 at 18:31

score 10 · Answer 2 · answered May 26 '14 at 22:02

I don't believe in frameworks... I have worked in many of them.

Reasons for hating MVC frameworks:

1) Code bloat, I purchase premium classes that assist me in development. Such as form classes or SQL classes.

2) I believe that MVC frameworks are not easily portable especially when using dependency managers.

3) I believe that you actually write more code with a MVC framework then if you had to use a boilerplate with a ton of useful classes that handle authentication etc.

4) Most frameworks also cater for just one or two databases natively.

I would suggest finding a form framework with authentication and text editor & a sql framework like madoo + a email class...

90% of your application is always forms , sql & ajax CLASSES - the rest can just be acquired when needed

I am a minimalist and I struggle with the idea of having code in my application that is not doing anything ... just in case I need it does not work for me.

Regarding the statement "I purchase premium classes": from where do you purchase such classes, and for what purposes? Thanks. — dotancohen, Apr 05 '15 at 14:06
I agree. Also there is a sizable performance hit with a lot of frameworks. — brettwhiteman, Aug 11 '15 at 02:06

score 8 · Answer 3 · answered Sep 07 '10 at 01:15

With that much experience behind you, you must have your own set of favorite libraries, hand pick them and come up with your own simple framework. Framework or no framework (and which one at that) depends on the kind of project at hand, no glove fits all. So i would strongly suggest that if you feel that the existing frameworks are slowing you down, spend sometime and come up with a framework which works as per your needs.

score 8 · Answer 4 · answered Sep 12 '10 at 17:32

8

Based on your statement that you've been using PHP as a hobby, as well as your profile statement "Slowly getting there", this seems like a learning curve issue. You don't appear to have the depth and breadth of experience to a) understand how to work within the structure that the framework imposes and b) you are thus unable to benefit from the efficiencies that the framework enables.

I urge you to stick with it. Go back to the beginning with the video tutorials. Find and read other peoples code until you understand it. Build your projects from the bottom up - start simply, and add functionality. Follow the forums, trying to answer questions yourself before reading replies.

I've been programming professionally for almost 20 years, across a variety of platforms, and it still took me a while to become comfortable with CI. But now that I am, I wouldn't go back to pure PHP (for my own projects) unless I had a site of sufficient scale that it exposed quantifiable performance issues (think Twitter).

answered Sep 12 '10 at 17:32

coolgeek

903
6
8

I'm still on the borderline whether or not I like frameworks too. I definitely see the OP's point, but I see yours too... learning a framework is like learning a whole new language. You have to get into the framework's way of doing things. Another thing that I struggle with, however, is if my philosophy of how things should be done is different than that of the framework. I'm still trying to find one that suits me. (Can't wait for .NET MVC3) – mpen Sep 12 '10 at 18:26
As yet, I don't know any other frameworks, so I can't speak with any generality. But using a framework isn't an all or nothing proposition. For instance, I find CI's caching libraries (page, database) insufficient and not readily scalable. So I use a third party cache library (Phil Sturgeon's) and I'm pretty happy with it. – coolgeek Sep 13 '10 at 01:04
Another significant advantage to sticking with it is that it makes it relatively easy to subsequently learn other frameworks. This is why you frequently see job listings specifying a particular framework (say, CI), but stating that experience with similar frameworks (say Zend, or Symfony) will be considered. – coolgeek Sep 13 '10 at 01:08

score 2 · Answer 5 · answered Aug 22 '14 at 16:50

I Know exactly the way you feel. I started 4~5 years ago in PHP (I came from Delphi, lol), and started in pure php. What I had back them was a "CMS Panel like" wich just read all tables fields and create the form. After sometime I reached somehow in the knowledge of PHP Frameworks, I tried CakePHP for first and didn't liked, after, got into Yii wich in my opinion is pretty intuitive and easy-use (With it's Gii generator it rocks pretty much). I Tried Symfony, ZF2, Laravel, Yii2-Beta and some frameworks for RAD, but still I wasn't feeling fast enough like before the frameworks.

Happened that I developed my own framework (It was naturally, not exactly that I woke up some day and said "I'm going to create a new framework", happened with the time) . I Know it's a bad bad bad practice and "wheel reinvention" move, BUT, I now develop my projects much faster (more than PHP only).

Since it's code is a total MESS, I started about one month ago to reformulating my framework, now it uses composer, follows common rules that exists between the php frameworks, is MVC.

Why I'm reformulating ? Because if someone needs to repair a project of mine it will not be a another world thing.

So I Understand you.

My Advice is, prepare your tools (call it a framework, a preset-app or whatever people names it), and use it the way you feel better, but still follow some common rules (Like MVC, "easy to module" things wich you can replace in case of broken.

score 2 · Answer 6 · answered Sep 07 '10 at 01:30

2

Zend Framework is really super for that. You can use as much or as little as you want. Its all coded in php and open sourced so you can just hack at it and make it your own. The different component are not dependant on eachothers as much as in other frameworks.

You could build yourself a simple framework using some components from Zend without any problems.

Check it out!

answered Sep 07 '10 at 01:30

Iznogood

12,447
3
26
44

3

He is trying to move away from a framework. – WarmWaffles Sep 07 '10 at 02:44
1

@WarmWaffles. Wich is why I talked about using parts of ZF. Surelly you do not expect the guy to reinvent the wheel for everything. – Iznogood Sep 07 '10 at 02:57
2

Iznogood has a very good point. ZF is more than just a framework. I've found the packages to be extremely useful for doing a lot of common tasks, and there's nothing about it that forces you to use their MVC patterns or their DB access methods or really anything. Of course, you could just go with Pear modules, too. – Bob Baddeley Sep 07 '10 at 03:22
2

It is a library yes that also sports a framework. However he is looking for something easy to use, and last time I checked Zend's namespace is cluttered and a pain to type. @Bob_Baddeley PEAR is a good suggestion – WarmWaffles Sep 08 '10 at 00:00
@WarmWaffles Well to each his own I guess. Maybe you could recheck Zend its at 1.10.x now and pretty different then say 1.8. – Iznogood Sep 08 '10 at 00:10

Sachin Prasad · Answer 7 · 2013-10-10T16:18:19.257

1

I don't know what is troubling you but codeigniter is a great framework.It has nice documentation and since lots of people use codeigniter you will find all the help in its documentation,or forum or on stackoverflow.I have worked on many frameworks (Codeigniter,CakePHP,Zend,Spring 3.0, Ruby on Rails),but I must say codeigniter has the best documentation.There are lot of things in codeigiter which are automatically handled and you don't have to worry about security. Working on core PHP is like re-inventing the wheel. Well the most important thing is that moving from a core to framework will need lots of your effort once you are used to it, you will start loving it.Also Ruby on rails is also a great framework once you know its ins and outs you can have double speed.

edited Oct 10 '13 at 16:18

answered Oct 16 '12 at 20:49

Sachin Prasad

5,365
12
54
101

2

It's been just over two years since I posted this and I actually did work with pure PHP for a while, but have since transitioned back to PHP - you're exactly right, it is incredibly easy to use. My current preferred setup is CI, phpActiveRecord for databases and Twig for templating. – Alex C Oct 20 '12 at 01:08
Yeah, phpActiveRecord looks nice. Have you ever tried Laravel though? (http://www.laravel.com) I think you'll find it has the best of CI, phpActiveRecord and Twig all built in by default. I've been a CakePHP developer myself, but keenly looking at Laravel lately. – Simon East Feb 05 '14 at 11:22

score 1 · Answer 8 · answered Oct 24 '12 at 18:31

1

I did a one day study of ToroPHP and found it quite nice. It is a minimalist framework targetted to RESTful applications. This makes it possible to keep the server side code modular, without having to deal with bloat of any framework.

answered Oct 24 '12 at 18:31

Kinjal Dixit

7,777
2
59
68

score 1 · Answer 9 · answered Sep 07 '10 at 07:08

1

For basic security, I use a custom filter method that wraps up my superglobals. Its syntax needs some getting used to, but is simpler than the PHP filter_var() API and doesn't let you slip sanitization:

 $_GET->text("inputvar") or $_POST->name["field"]

It also allowed inline $_REQUEST->sql() escaping. But for database work keep using parameterized SQL, or your DAL/ORM of choice.

answered Sep 07 '10 at 07:08

mario

144,265
20
237
291

That's definitely a clever solution, but I'm not sure why you think the filter API is cumbersome. If anything, I think filter_input_array() is excellent. (Primarily because it makes it simple to define all the inputs for a given request type in one place in a reasonably declarative fashion. Never underestimate the benefit of that kind of thing.) – ssokolow Sep 07 '10 at 07:19
@ssokolow: Indeed, filter_input_array() is nifty for doing it in one swoop. However there is already too much flexibility in the filter_* functions, and too many parameters don't suit it. That's why I think people are eschewing it (even though it's technically a good solution). – mario Sep 07 '10 at 07:41
Perhaps. I think part of the problem is that, in addition to being a recent arrival in a world where a lot of people still have PHP4 books on their shelves, it's under-advertised, the official docs aren't clear enough, and the W3Schools docs which tend to share Google's top results aren't comprehensive enough. – ssokolow Sep 07 '10 at 19:33

Going from a framework to no-framework

9 Answers9