Related
I just read the Twelve-Factor App, which looks like a pretty comprehensive set of rules to apply in a web-based application. It uses python or rails in its examples, but never php... I was wondering which factors of the manifesto can be applied to PHP projects and how?
Thanks
Short answer:
All points apply to PHP as the twelve factor app manifesto refers specifically for web apps.
PHP has a very hard time complying to twelve factor, in particular in the items 2, 7, 8 9 (as a side effect of 7 and 8) and 12 (partially). Actually that's the first really grounded argument I have heard in the whole "PHP sucks" rant that is common on the Ruby and Python communities (don't get me wrong, I think Ruby and Python are better languages, but I don't hate PHP, and definitively hate the "my language is better" rants.)
Being that said, it may be that your PHP project is not a web app or SaaS, but just a simple website, so you may just deem that twelve factor is not a need.
Long answer: A point-by-point analysis would be:
Codebase: not an issue
Dependencies: the way PEAR works goes quite against this point, as pear dependencies are installed system wide and usually you don't have a consolidated manifesto to declare them. Is also usual for a PHP setup to require you to add packages to your OS installation to get some libraries available. Finally AFAIK there isn't a tool in PHP to provide isolation like "virtualenv", "rbenv" or "rvm" (or if it exists is not popular among the PHP community) Edit: Composer (http://getcomposer.org/) seems to do the right regarding dependencies, it still doesn't isolate the PHP version, but for all the rest it should be fine.
Config: some PHP frameworks are not very well suited to do this, but there are certainly others that do well, so it's not a flaw of the platform itself
Backing Services: shouldn't be much of an issue, despite maybe having to hack some frameworks a little in order to manage the services as resources
Build, release, run: this is totally appliable to PHP as this definitively doesn't concern only "compiling". One may argue that several projects and hosting platforms on the PHP community abuse of direct FTP, etc. but that's not a flaw of PHP itself, and there is no real impediment on doing things right regarding this item.
Processes: This definitively concerns to PHP. PHP is quite capable of running purely stateless processes (the emphasis is on the word stateless), and actually several frameworks make your life easy for it. For example, symfony provides out-of-the-box session management with memcached or database storage instead of regular sessions
Port binding: Over simplyfing it, this point basically demands you to reverse proxy and have the actual webserver embedded on the app instead of being a separated component. This puts PHP in a very hard position to comply. Despite there are ways to do this (see the reply about using PHP as FastCGI) that's definitively not the most common nor the best supported way to serve a PHP app as it is on other communities (e.g. Ruby, Node.js).
Processes: This is not impossible in PHP. However several elements put PHP in a hard position to comply. Namely the lack of good support for items 6 and 7; the fact that the PHP API to spawn new processes isn't really very nice to work with; and specially the way Apache's mod_php handles their workers (which is by far the most common deployment schema for PHP)
Disposability: If you use the right tools there is nothing inherent on PHP to prevent you from creating fast, disposable, tidy web and worker processes. However I believe that since the underlying process model is hard to implement as per points 7 and 8, then 9 becomes a bit cumbersome as a side effect
Dev/prod parity: This is very platform agnostic, and I would say one of the hardest to get done right. PHP is no exception to this rule, but it doesn't have a particular impediment either. Actually most of the tools named on the manifesto can be applied to a PHP project
Logs: Having your app agnostic of the log system on the execution environment is totally doable on PHP
Admin processes: The most important flaw of PHP regarding this point is its lack of a REPL shell. Regarding the rest, several frameworks like Symfony allow you to program admin tasks (e.g Doctine-based database migrations) and run them on the same environment as your "regular" web envionrment.
Since the PHP community is evolving, it may be that it has already righted some of the wrongs mentioned.
Build, release, Run: Applicable to compiled code which is not the case in PHP. So this
point is not something you need to look at.
I don't claim any authority on this 12 factor stuff, but my read of that section is that the author would disagree. It's not just about compiling, it's about managing dependencies both in the small (the snapshot of the code) and in the large (any libraries the code uses).
Imagine you're a new dev and they say, "Okay, this is a custom php app, so...
a) The custom code is really two subprojects, which are in repo A and repo B.
b) You'll need to create a directory layout like so, and then
c) check the code for each subproject out into this subdirectory and this subdirectory.
d) You'll also need these three open source PHP libraries:
version 3.1 of library Foo,
version 2.3 of library Bar, and
version 5.6 of library Bat.
e) download them from their home project sites and unpack them, then copy them into this directory, that directory, and the other directory.
f) then you'll need to set these configurations in the external library,
g) and these configs in our two custom code projects.
h) once that's all done, tar/gzip it all up, upload it up to the QA server and untar it into htdocs.
There's no compiling going in that set of steps, but you can bet there's a lot of building.
Getting all of that set up and working is the build step.
Using tar/gzip to take a snapshot of the working build is the release step.
SCP'ing/unpacking it into the QA server's htdocs directory is the runtime step.
You might say that some of those steps above are unnecessary - the libraries should be deployed at the system level and merely imported. From the 12factors.net site I'd say the author prefers you to import them uniquely and individually for the app. It sidesteps dependency versioning problems at the cost of more disk space (not that anybody cares). There are more hassles in managing all those dependencies as local-to-the-app, but then that's the point of the build/release/runtime scheme.
It might have changed since you read it - there are a few PHP examples now, although a few of them seem like negations of the twelve-factor concept.
One of the ways that normal mod_php sites violate twelve-factor comes with VII. Port binding. From the manifesto:
The twelve-factor app is completely self-contained and does not rely on runtime injection of a webserver into the execution environment to create a web-facing service. The web app exports HTTP as a service by binding to a port, and listening to requests coming in on that port.
However, apache/php can be coaxed into this worldview with something like this:
https://gist.github.com/1398498
Not perfect, but it works for the most part. To test it out, install foreman:
gem install foreman
then run it in the directory you cloned the gist into:
foreman start
then visit
http://localhost:5000/foo
DO NOT TAKE THIS POST AS A REFERENCE, THIS WAS WRITTEN IN 2011, MANY THINGS HAVE CHANGED SINCE THEN... THE WORLD OF PROGRAMMING IS IN CONSTANT EVOLUTION. A POINT OF VIEW OF 2011 IS NOT NECESSARILY STILL VALID IN 2018.
I just read a few lines of each points and here goes my analysis of the document:
Codebase: Everyone, php or not should have a codebase even for the little projects
Dependecies: PHP uses includes and code libraries that you should always be able to port easily by simply copying the code to a server. Sometimes you use PEAR and then if the server doesn't support it, you have to copy and install pear manually. I use Zend Framework most of the time, so it's just copying the code of the framework with the ftp upload.
Config: It is common for php apps to have a writable config file that you store configurations into. Where you store it is your choice as a developer, but it is usually either at the root of your app or in a settings/config folder.
Backing Services: PHP does use backing service most of the time such as MySQL. Other common services depending on your app are twitter and facebook. You use their API to communicate with them and store/retrieve data to work with.
Build, release, Run: Applicable to compiled code which is not the case in PHP. So this point is not something you need to look at.
Processes: HTTP is stateless and is SERVED,thus, you usually have no process apart from the web server. This is not entirely true as a webservice may be bundled with applications you package with or create for it. But, for the sake of standards, you usually don't have to use processes in the web world.
Port binding: PHP doesn't apply to port binding at all because it is not a process that hooks to an address, Apache, NGinx or Lighttpd does that for you. Reading #6/7 makes me understand that a website could never be a Twelve-Factor app.
Concurrency: Again this point treats about processes which do not apply to PHP web pages. This point applies to the server serving the content.
Disposability: This point discusses about how fast a process should be. Obviously, PHP web sites not being a process shouldnt apply but always note that your website should execute pages as fast as possible... Always think about this block or that block of code and see if it is optimized.
Dev/Prod Parity: This point is crucial in any app development. You never want to have a large gap between two app versions or upgrading can become a hassle. Furthermore, never create client specific versions of an app. Always find ways to allow your app to be configured/customized at the template level so you can keep your app as close as possible to all installed versions everywhere.
Logs: Logs are always a good thing to have, they allow you to follow the process of your code without having to output it to screen. My favorite tactic is to "tail -f logfile" inside of a linux console and look at what is happening as i execute my code.
Admin processes: Not applicable, in php, you don't have processes, but you do have pages that you can secure with usernames and passwords.
I've been reading this site here and there and appears as though you guys have a wonderful community.
As for my background, I am a sophomore at university familiar with SQL, C++, Visual Basic, and some PHP. One of my school projects for the summer term involves building a web application that allows users to log in and schedule specific timeslots over the internet. Typically, I have been the only person working on a project, but in this case I will be part of a group. Since we're all relatively new to working as a team, I would like to set up source control for my group so we're not all working off a shared drive somewhere. Additionally, I would like to make sure that all of us are able to test our changes in some sort of development server that hosts an instance of our website.
My actual question is in regards to the toolset that we should use to achieve this. As a group, we are most familiar with PHP and MySQL so we'll end up using that for the code and database. I have used SVN in the past for my own personal use, but my group members aren't very familiar with source control. We'll probably stick with something simple like Excel for the project management and bug tracking side of things. Ideally, we would like the tools to be free and open source.
How as a group should we manage the construction of the actual application? Are there methods out there that I can use that will allow any one of us to move the files to our development machine and keep track of who did it so we don't end up overwriting each other's changes? If this is not possible, one of us will write some scripts to handle it - but I would like to avoid building basically a separate software application that will only be used to manage our project. Another issue I foresee will be updating the database running on the development machine. Are there any standardised methods that we can use to manage our SQL scripts among the four of us?
I do not expect a really long winded answer here (after all, this is our project!), but any helpful tips would be greatly appreciated. Once I return from holiday I am looking forward to getting started! Thanks!
I recommend your group use source control to synchronize your code. You can either setup your own server or just use a free provider such as github, Google code, or bitbucket.
If you do decide to use one of these sites, a nice feature is that they provide free issue tracking as well, so you can use that instead of Excel.
The best way to manage the SQL scripts is to break them out into separate files and place them under source control as well. You can either create .sql files, or use a tool to manage these changes - for example, have a look at Ruby on Rails' Migrations. This may take some effort to setup, but you'll thank yourself later if you are working on a project of any size...
Draw up a plan for how you would do it if it were just you.
Split the plan up into tasks that take around 3-4 hours to complete. Make sure each task has a measurable objective.
Divy out the tasks. Try to sort them if possible to maximize developer efficiency.
Teach them to use source control. Explain to them that they will use this (maybe not svn, but SOMETHING) in a few years, so they might as well learn how now. Additionally, this will help in every group project they do down the road.
Make a script for building and running your tests. Also script your deployment. This will ensure you have the same mechanism going to live as you do going to test, which increases the number of defects found in testing. (This is as opposed to letting them exist but not found in testing.)
You mentioned updating the development database. It would be entirely reasonable to dump the development database often with a refresh from live. You may want to make 3 environments. Development, staging, and production. The development database would contain fabricated test data. The staging database would have a copy of live (recent to within a few days maybe.) And of course live is live.
Excel works fine as a "bug database." Consider putting it in source control that you manipulate and commit. This will give you a good idea of what happened over time, and you can correct mistakes quicker.
As far as source/version control, I would recommend subversion. There are some GUI tools they might use, or even webDAV to access the SVN. This will allow users to edit files collaboratively and also give you details as to who edited what, when, and why... SVN will also do a pretty good job at merging files that happen to be saved at the same time.
It's not the easiest concept to wrap your head around, but its not very complicated once you get running.
I suggest having everyone read the first chapter from: http://svnbook.red-bean.com/en/1.5/
and they should have a good idea of what's happening.
I am also curious to see what people have to say about the database
How as a group should we manage the construction of the actual application? Are there methods out there that I can use that will allow any one of us to move the files to our development machine and keep track of who did it so we don't end up overwriting each other's changes?
It sounds like you're looking for build management. In the case of PHP, a true "build" is as simple as a collection of source files because the language is interpreted; there is no compilation.
It just so happens that I am one of the developers for BuildMaster, a tool which basically solves every problem you have listed in your question... and it also sounds like it would be free in your case under the Community Edition license. I'll try to address some of your individual pain points and how BuildMaster could be used as a solution.
Source Control
As suggested by others, you must use it. The trick when it comes to deployment is to set up some form of continuous integration so that every time someone checks in, a new "build" is created. In BuildMaster, you can set this up for any source control provider you want.
Issue/Bug Tracking
Excel will work, but it's not an optimal solution. There are plenty of free issue tracking tools you can use to manage your bugs and features. With BuildMaster, you can link your bugs and features list with the application by their release number so you could view them within the tool at any time. It can also modify issue statuses and add descriptions automatically if you want.
Deployments
Using BuildMaster, you can create automated deployment plans for your development environment, e.g.:
Get Latest Source Code
Create Artifact
Copy Files To Development Machine
Deploy Configuration Files
Update Database
The best part is, once you set these up for other environments (glowcoder's point #6), pushing all of your code and database updates is as simple as clicking a button.
Another issue I foresee will be updating the database running on the development machine. Are there any standardised methods that we can use to manage our SQL scripts among the four of us?
Database Updates
Not surprisingly, BuildMaster handles these as well by using the change scripts module. When a member of your team creates a script (e.g. ALTER TABLE ADD [Blah] INT NOT NULL) he can upload it into BuildMaster, then run it on any environment you have created.
The best part is that you can add a step in your automated deployment and never worry about it again. As Justin mentions, you can use .sql files for your object code (stored procedures, views, triggers, etc.) and have those executed on every build since they are essentially code anyway. You can keep those in source control.
Configuration Files
One aspect of all this you may have neglected (but will inevitably run into) is dealing with configuration files. With PHP, you may have an .htaccess file, a php.ini file, a prepend.php, or roll your own custom config file. Since by definition configuration files need to change between your personal machine and the development machine, grabbing them from source control wouldn't necessary work without some bit of hacking a la:
if (DEV) {
// do one thing
}
else if (PROD) {
// do another
}
With BuildMaster, you can templatize your configuration files and associate them with an environment so they can be deployed automatically. It will also maintain a history of changes for you.
Automated Testing
If you want the full ALM effect, you can automatically unit test your code during an automated build, and notify you if anything fails so you know as soon as possible that something is broken.
Apologies for the "long winded" response, but I feel like you're already ahead of the game by observing the problems you might run into in the future and really believe BuildMaster will make all of this deployment stuff simple for your team so you can focus on the fun part, coding!
I am looking for a clean, well-built CMS. I want to migrate a number of sites away from a self-built CMS which I will not be developing further.
I've come across Apostrophe and instantly fell in love with the great, integrated user interface.
It is based on the Symfony framework, which I have practically no experience with.
My questions:
I am planning to deploy sites I build with this CMS on shared hosting packages which do not offer any command line access. I know that many of Symfony's development and maintenance functions rely on command line access to the symfony script. Is it feasible to deploy an Apostrophe-based web site to such a web host, or is access to the command line tools required for a live product on a regular basis?
To be very honest, I'm not really keen on learning Symfony in depth right now: I'm sure it's a great framework, but I have tons of other obligations. I just really like what Apostrophe offers to the end user of the CMS. In your opinion as a seasoned Symfony or even Apostrope developer, will a professional PHP developer be able to set up a web site (without much customization on the code end - lots on the front-end, but that's a different matter) without being a Symfony expert? Or is this a recipe for disaster?
Are there any other arguments that, from your experience, speak for or against using Apostrophe in my situation?
I'm one of the core Apostrophe developers at P'unk Avenue.
Right now Apostrophe's open source release is oriented toward folks who are willing to get somewhat up to speed with Symfony, yes, at least so far as understanding the layout of a Symfony project and learning to edit templates. You need those skills to add new page templates and edit the global layout.
You don't have to create entirely new PHP classes to launch and maintain an Apostrophe site, though. Sometimes "light PHP" skills (creating new templates) are all that is required.
Usually the Apostrophe ecosystem works like this: a client wants to work with us, or with another developer, to create a site that they can then maintain on their own without the usual problems of the client accidentally trashing the design, busting the layout with horrible HTML pasted from Microsoft Word, et cetera.
Apostrophe solves that problem very thoroughly with robust built-in HTML filters and media slots that aggressively manage images and video so that they display correctly for a given page template and so on.
So we take the problem of helping clients (who are very competent in their own knowledge domain, but not designers) to maintain their own content safely very seriously and have some unique solutions as standard equipment in the system.
As for your hosting situation though, yes, it is difficult to use Apostrophe (or other really modern PHP code) with zero command line access. Symfony tasks are used to clear the Symfony cache and to reoptimize the search engine nightly. You could work around the former with some other hack to empty the cache folder and the latter by ignoring it, which will work if the site is small.
Another problem with shared hosting is that it won't have APC running as a bytecode cache. Without APC pretty much all PHP code runs much much much slower. Systems with a lot of PHP classes are not meant to be run without APC and they appear much slower than is really accurate without APC.
I would strongly urge you to check out the offerings of ServerGrove (www.servergrove.com). When your client can have a virtual machine all to themselves for $20/month with all the security benefits that brings, I think it's a questionable decision not to go for it. (Use whatever host you want, the main principle here is that VM hosting is always vastly more secure and performs much better than old-school shared hosting. ServerGrove does specialize in Symfony hosting though which is a nice plus.)
Some shared hosting services are not completely terrible in this regard - servergrove does have a shared hosting offering, still no APC (which is a serious disadvantage for any big PHP system, including WordPress or Drupal) but they do give you shell access and secure the system by preventing other clients from being able to find your files through the filesystem via PHP. Some shared hosts don't do that at all, which is a horrendous security hole.
There is an apostrophenow community to help you along:
http://groups.google.com/group/apostrophenow
Whatever you choose, good luck with your site!
Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 3 years ago.
Improve this question
I am relatively new to the Web Development business. Me and 2 friends started up our own little company. 1 person is a designer, 1 person is sales / consultant, and I am the developer. Right now, its an after work project, but we hope to expand and let it become our full time jobs.
Anyway, my question to you, is what is the best way to go about a full web development project cycle.
List of things to discuss:
Proposals - do you guys find these important
Project Planning - how much planning and mapping out should there be?
Project Management Software - I did a
little research before and I like the
online portals. Parallels stood out
for me.
Editor tools - I have been using the
most basic editor Notepad++. I feel
like I should be using something more
advanced.
PHP Framework - I just got hooked on
CodeIgniter.
Ways to deploy site - right now I am
doing most of my editing via FTP to
the live site. Should I be working
on a local copy and then uploading to
a test site for the client? Then
eventually go to the live server.
Are there ways to automate this?
(best practice ?)
I cant wait to hear all your input, especially from folks who are veterans at it!
Proposals
This really depends on what sort of clientele you are looking at. It probably will not be necessary at the beginning of your company since you will be dealing with small to medium clients, but its not bad to get into the habit. When I did a bit of freelance web development, I did not work on a proposal-based system. Instead, I did more of a site mockup->changes->implementation system. I suppose a mockup is a form of a proposal...
Project Planning
Again, this depends on the size of the project. If you're working on a static 20-odd page website, you probably do not want to get too much into the planning aspect. However, if you are working with a site that pulls into a large number of technologies (forums, CMS, AJAX, web-services, etc.) you probably want to invest a little more beforehand.
Project Management Software
Cannot say I have ever used a project management tool during my days as a freelance web developer. I'd say don't invest in anything right now. Once your company grows, you'll have a better idea of what your requirements are.
Editor tools
Notepad++ may cut it now, but I wouldn't recommend it in the long-run. If you are looking at technologies other than PHP, I'd definitely not recommend it. In fact, if you are looking at a clientele that's more "business-user" esque you need to think about getting into ASP.NET or J2EE. I would suggest getting a PHP IDE that at least has code completion, as this can help eradicate a ton of PHP bugs. I'm not sure if Notepad++ has this. You also probably want to get a debugger that integrates into your IDE. I know Eclipse had a PHP IDE a few years back, but I'm not sure how good that is these days.
PHP Framework
Never really used any PHP frameworks but that's because I graduated and got a job before I had time to teach myself any of them. :) Go with whatever fits. You probably want to get used to more than one since some projects will fit better with some frameworks.
Ways to deploy site
Defintely, definitely get a local server set-up. You can get a WAMP/LAMP installation set up really easily on your dev machine. As others have said, you probably want to use source control because of Murphy's Law. Personally, I've been using wampServer the last few years as I haven't really been developing that much PHP and that allows me to get a working environment up really quickly. But you may wish to customize your devenv further. But you should definitely test your applications on a dummy server with a dummy database before deploying it to a live server with a real database!
Hope this helps!
Impossible to answer this fully in a single post here, but I'll give you some punchlines:
Proposals - do you guys find these important
Not sure what you mean by that? Sales proposals?
Project Planning - how much planning and mapping out should there be?
Don't spend too much time planning up front - it'll lose its value once you get further down the line. Do plan enough though. Usecases and some interface sketches/wireframes are good value.
Project Management Software - I did a little research before and I like the online portals. Parallels stood out for me.
You'll never find a golden bullet here. Use as little/simple as possible and always go for something with a clear exit route. Less is more. Also, keep in mind that this kind of tool needs to work for very different types of people, at the same time. The tool supports a process though, so keep that in mind - don't let the process be defined by the tool.
Editor tools - I have been using the most basic editor Notepad++. I feel like I should be using something more advanced.
Use what works for you. A good tool is nothing, unless you know how to use it. Likewise, if you know a simple tool well, you can get very far.
PHP Framework - I just got hooked on CodeIgniter.
The exact same applies as with editors.
Ways to deploy site - right now I am doing most of my editing via FTP to the live site. Should I be working on a local copy and then uploading to a test site for the client? Then eventually go to the live server. Are there ways to automate this? (best practice ?)
This should be high priority to change. At the very least, get your source code in a SCM - Subversion is the most mainstream, so I would suggest to use that. Second, get a separate development environment and production site. You develop at your dev setup, and when it's done, you deploy to the live site.
Next step is to look in to testing and automated deployment (google for that). But first things first - Get used to SCM and a separate dev/prod setup.
Finally, if you haven't read it already, Getting Real might be worth your time.
Proposals - Why not. Just don't overdo it. Don't let it become like this big corporate wall between you and your clients. You're small, be personal. That's your strength.
Project Planning - There's three of you? Skip project planning software.
Editor tools - If there's a specific function that Notepad++ doesn't have that you need, then switch editor. But don't switch just to feel more advanced.
PHP Framework - Keep an open mind and use what ever you get hooked on.
Ways to deploy site - Always work against a dev box. Some have test boxes with real-world data to test updates before deploying to the production box. Always version control your code. Whatever tool or method you use to deploy (really a matter of taste) keep a simple checklist with steps to go trough when deploying, and keep it up to date. Do automatic regular backups of your production box and actually do a reset and restore on a test box every now and then, and write down the steps needed to restore from backup.
As an editor, I strongly recommend jEdit. It's cross-platform, speaks many programming languages, has lots of plugins for extended functionality, macro record/save/playback, is actively maintained, and is very configurable.
For deployment, Subversion makes a lot of problems go away. For web development, I typically have two branches; devel and live. All changes are done in devel. When you're ready to publish the changes, a single svn merge operation applies the same changes to the live branch.
Subversion has hooks in its infrastructure to call scripts when certain events happen, like checking in software. A post-commit hook can automatically transfer (scp, ftp, unison, etc) the files onto either the devel server or the live server, depending on which branch the changes were. Now you have nearly immediate and automatic website updates whenever changes are checked it.
Another nice thing about Subversion is that it can hook into Apache to provide a WebDAV interface, so you can change files from anywhere without opening up Subversion itself through your firewall. If you need to make a quickie change from your day job, you can.
It is pretty standard practice now for desktop applications to be self-updating. On the Mac, every non-Apple program that uses Sparkle in my book is an instant win. For Windows developers, this has already been discussed at length. I have not yet found information on self-updating web applications, and I hope you can help.
I am building a web application that is meant to be installed like Wordpress or Drupal - unzip it in a directory, hit some install page, and it's ready to go. In order to have broad server compatibility, I've been asked to use PHP and MySQL -- is that **MP? In any event, it has to be broadly cross-platform. For context, this is basically a unified web messaging application for small businesses. It's not another CMS platform, think webmail.
I want to know about self-updating web applications. First of all, (1) is this a bad idea? As of Wordpress 2.7 the automatic update is a single button, which seems easy, and yet I can imagine so many ways this could go terribly, terribly wrong. Also, isn't the idea that the web files are writable by the web process a security hole?
(2) Is it worth the development time? There are probably millions of WP installs in the world, so it's probably worth the time it took the WP team to make it easy, saving millions of man hours worldwide. I can only imagine a few thousand installs of my software -- is building self-upgrade worth the time investment, or can I assume that users sophisticated enough to download and install web software in the first place could go through an upgrade checklist?
If it's not a security disaster or waste of time, then (3) I'm looking for suggestions from anyone who has done it before. Do you keep a version table in your database? How do you manage DB upgrades? What method do you use for rolling back a partial upgrade in the context of a self-updating web application? Did using an ORM layer make it easier or harder? Do you keep a delta of version changes or do you just blow out the whole thing every time?
I appreciate your thoughts on this.
Frankly, it really does depend on your userbase. There are tons of PHP applications that don't automatically upgrade themselves. Their users are either technical enough to handle the upgrade process, or just don't upgrade.
I purpose two steps:
1) Seriously ask yourself what your users are likely to really need. Will self-updating provide enough of a boost to adoption to justify the additional work? If you're confident the answer is yes, just do it.
Since you're asking here, I'd guess that you don't know yet. In that case, I purpose step 2:
2) Release version 1.0 without the feature. Wait for user feedback. Your users may immediately cry for a simpler upgrade process, in which case you should prioritize it. Alternately, you may find that your users are much more concerned with some other feature.
Guessing at what your users want without asking them is a good way to waste a lot of development time on things people don't actually need.
I've been thinking about this lately in regards to database schema changes. At the moment I'm digging into WordPress to see how they've handled database changes between revisions. Here's what I've found so far:
$wp_db_version is loaded from wp-includes/version.php. This variable corresponds to a Subversion revision number, and is updated when wp-admin/includes/schema.php is changed. (Possibly through a hook? I'm not sure.) When wp-admin/admin.php is loaded, the WordPress option named db_version is read from the database. If this number is not equal to $wp_db_version, wp-admin/upgrade.php is loaded.
wp-admin/includes/upgrade.php includes a function called dbDelta(). dbDelta() scans $wp_queries (a string of SQL queries that will create the most recent database schema from scratch) and compares it to the schema in the database, altering the tables as necessary so that the schema is brought up-to-date.
upgrade.php then runs a function called upgrade_all() which runs specific upgrade_NNN() functions if $wp_db_version is less than target values. (ie. upgrade_250(), the WordPress 2.5.0 upgrade, will be run if the database version is less than 7499.) Each of these functions run their own data migration and population procedures, some of which are called during the initial database setup script. Nicely cuts down on duplicate code.
So, that's one way to do it.
Yes it would be a security feature if PHP went and overwrote its files from some place on the internet with no warning. There's no guarantee that the server is connecting correctly to your update server (it might download someone code crafted by someone else if DNS poisoning occured) - giving someone else access to your client's data. Therefore digital signing would be important.
The user could control updates by setting permissions on the web directory so that PHP only has read access to the files - this procedure could simply be documented with your program.
One question remains (I really don't know the answer to): can PHP overwrite files if it's currently using them (e.g. if the update.php file itself needed to be updated)? Worth testing.
I suppose you've already ruled this out, but you could host it as a service. (Think wordpress.com)
I'd suggest that you package your application with pear and set up a channel. Your users can then upgrade the application through a standard interface (pear). It's not entirely automatic (unless the users have some kind of automation running on top of pear), but it's standard, so any sysadmin can maintain it.
I think your best option is an update checking mechanism that will alert the administrator when there are update(s).
As you mention, there are a number of potential security problems. Due to those alone, I would suggest not doing this. Instead, try creating a fairly smart upgrading script.
Just my 2 cents: I'd consider an automatically self updating application within my CMS as a security hole, so if you decide to code this feature, you should consider to implement different levels of this behavior:
Automatically update
Check for updates and notify
Disable