As it currently stands, this question is not a good fit for our Q&A format. We expect answers to be supported by facts, references, or expertise, but this question will likely solicit debate, arguments, polling, or extended discussion. If you feel that this question can be improved and possibly reopened, visit the help center for guidance.
Closed 10 years ago.
I'm trying to choose a framework that provides really good security of web applications, protects against as much of OWASP Top-10 as possible, such as:
Sql Injection
XSS
CSRF
Authentication
Authorization
etc.
the thing is I've tried researching really heavily:
Cakephp, Zend, Yii, Code Igniter, Kohana and some have basic authentication, maybe a little authorization, but nothing for any application that needs solid code-security.
Is most of the vulnerability types above currently secured by only writing custom code in these frameworks?
This is kinda my first experience with using frameworks, everything up til this point has been custom php web apps. My whole thought for php-frameworks was it was going to be easy to protect against these vulnerabilities, given it isn't natively, why use one? Or is there a framework out there I'm not looking at which is better than those listed above for strong web app security? Thanks
Security cannot be applied to an application like some veneer. Each kind of a security problem is dealt with in some other way, and most of PHP frameworks provide tools to write secure code:
Fighting HTML injection / XSS requires the use of a template engine
(like Twig) that escapes values by default or a component-driven
approach to displaying HTML. No framework
will help you, if you allow people to upload their files and have
them served from your own domain (you have to use a separate domain
for that);
You can avoid SQL injection by using db helpers that escape query
parameters; each framework you mentioned provides those (and of
course you can use plain PDO);
You can fight CSRF by using session-bound tokens. Each framework
offers some solution. In each case, however, you have to assist the
framework in some way (by adding a token to each form or by using a
form abstraction provided by the framework).
So in a way - yes, you have to think about security. I don't think any PHP framework could do anything more that they already do, unless there is a major paradigm shift that lets us design applications by dragging colorful boxes across the screen, not touching dirty, insecure things like HTML or SQL. What kind of support would you expect?
I'd also say try CodeIgniter.
Sql-Injection - If you use the active record pattern in CodeIgniter you're secure
XSS - It's a config value in config.php
CSRF - Also a config value in config.php
Login etc. - There are libraries for that like https://github.com/EllisLab/CodeIgniter/wiki/SimpleLoginSecure
Also CodeIgniter is easy to use if you're working with a framework for the first time and has a great user guide which is really easy to understand.
Edit: Since I'm still getting upvotes here in 2019, please check https://laravel.com/
The key vulnerabilities you mention happen in different and sometimes multiple layers and are often dependent on the context of what youre doing so a lot of them will offer the facilities to protect against this stuff but you have to make use of it.
For example both Symfony (1.x and 2) and Zend Framework have a form component/sub-framework that implments CSRF out of the box. But that doesnt mean its turned on by default (symfony's is... dont recall if zf's is or not). Same thing with XSS when we talk about the output escaping side in the view layer.
Now when it comes to framework preference for big apps i personally like Symfony 1.x and Symfony2, Zend Framework 1.x (not going to mention zf2 because i havent even played with it yet). For simple things i like Silex (based on Symfony Components).
Related
As it currently stands, this question is not a good fit for our Q&A format. We expect answers to be supported by facts, references, or expertise, but this question will likely solicit debate, arguments, polling, or extended discussion. If you feel that this question can be improved and possibly reopened, visit the help center for guidance.
Closed 10 years ago.
I know this has been done many times before (some posts are really old so would be nice to get feedback based on current state of play), but I would like people's advice on which framework to use for a new application that we are about to start developing.Though we have set-up everything according to ZEND but now client's investor need to know why we choose Zend.
It was selected on the bases, out of 5 developers 2 are familiar with Zend. Now client want a detailed explanation why we didn't choose Symfony over Zend. Our reason is not enough to support our selection ;) so help me to choose which framework has what advantages over other so that we can present him solid reasons(for zend), and if symfony has more +ves then why we choose it(symfony) NOW. We can change our framework now.
I guess the correct answer is 'depends on what you're application and you're own requirements/preferences' so here is a brief description of the application and some of our own requirements:
The Application:
A financial transaction system extracting live transactions data done over thousands/millions of POS world-wide.
Few important things for project:
Database is already provided to us & it is an ORACLE database.
Oracle database has more than 86 tables. Some of the tables have more than 60000 rows of data at present & some of them have 79 columns too.
Our Requirements:
good support for jQuery
allow easy output of different types of output (HTML, XML, JSON)
easy UI development using in-bulit functions/methods.
ACL
fairly fast development (as always, schedule is tight)
nice clean business logic layer with freedom to architect the solution as we like.
a framework that helps you to get stuff done quickly but doesn't restrict you too much.
a good platform for doing other projects.
Any feedback from people who have used these frameworks (specially those who have used both) would be much appreciated.
Zend is not compulsion, but if changed to symfony, we need support for that. So support your answers with reasons, links.
Thank you.
Why Zend
First of all, I had my good experience over working with Zend Framework. It is most stable framework over all the php RAD Frameworks. Zend provides you jQuery builtin Class as Helper that will make it easy for you to make jQuery usage most easy. Even though, it provides the best usage with Dojo too. ZendX_jQuery class makes it easy for you to make use jQuery whenever you want. And, as you know jQuery allows ajax calls by $.ajax*() so it would be perfect choice for going through client side scripting.
However, I'll focus over the zend too because you can go through writing your API for most of the common transactions all over the site. As, ZEND provides Using AjaxContext with Zend_Rest_Controller and Zend_Rest_Route classes for this purpose that holds the Ajax context.
Zend has the best cache system. Even though, it provides the perfect search indexing using lucene. It is easy and stable to make your own re-usable component in your class library. CLI makes your structure delightful so no need to make everything manually.
No problem of managing templates. Action loads its view by prefix. View doesn't bounds you to have any templating engine. However, you can go through that too.
Layouts capability makes it extremely perfect to make generic and dynamic layouts that would be based over different of the controllers based upon ACL. And by ACL, i also got that Zend_Acl provides the complete solution over implementing out the ACL services. ACL is ofcourse the mandatory thing in your application.
Zend also provides you ability of having the modular structure of your site. Just plug and play your code snippets.
Why Symfony
I never gone too much deep over the symfony. However, I experienced it before for one of my project. Overall, as comparing, zend has decent folder structure then symfony. Symfony provides you ability to your code snippets but those snippets are known as bundle here. It has some templating styles that you need to implement in your views. It didn't found any built-in core library for implementing jQuery dynamically. May be, I would be wrong here but I don't know about it yet!.
I also got the same situation when I need to compare Zend & Symfony. But, after looking over all the aspects, I decided to go through the Zend.
As it currently stands, this question is not a good fit for our Q&A format. We expect answers to be supported by facts, references, or expertise, but this question will likely solicit debate, arguments, polling, or extended discussion. If you feel that this question can be improved and possibly reopened, visit the help center for guidance.
Closed 9 years ago.
I'm designing a new website and I need a login system (Preferably in PHP and mySQL). I've written ad-hoc login systems before and I'm aware of all the security involved, etc. But as Jeff Atwood said, Never design what you can steal. So I'm wondering if there are any good PHP login/sign-in libraries. Can you recommend any?
some specifics
I am trying to avoid php frameworks if at all possible (there is no reason to import one just for the login function)
Also, I am aware I could simply use a social login or open-id, unless you are aware of a REALLY good library for this I would also prefer to not have to have to use something (open-id) I've never dealt with before
Finally I need to be able to edit the user information in the mySQL database
UserCake
http://usercake.com/
Login Register Lost password recovery
Update password Update user email
Email templates (optional) SHA1
security + Salt / Hash Account
activation (optional) Resend
activation email (optional) User
groups (Basic, id - group_name)
Multilingual support
Or
You can try
http://phpuserclass.com/
Some points before the answer.
You may rethink your strategy on frameworks. Modern frameworks like Zend Framework and also Symfony2 are loosely coupled. This means: you dont need to download/use the whole framework.
Another reason to rethink it, is that these frameworks are often robust, widely tested and used. In terms of performance they are not always of huge impact, especially with apc and other optimization methods, so are you affraid you will use too much harddisk space?
Your question is about something specific but easily done. This is exactly the type of stuff that frameworks are good at. Codeigniter, Zend Framework, Symfony, Symfony2 (am I missing one?), all offer code that will allow you to do this in maximum a matter of hours.
Libraries I would consider
Zend_Auth (has only zend_exception as hard depencencies). It's lightweight and has many options for integration with openauth and such. (requires about 10 php files) http://framework.zend.com/manual/en/zend.auth.html
Apache ZetaComponents (before ezcomponents)
http://incubator.apache.org/zetacomponents/documentation/trunk/Authentication/tutorial.html
Pear LiveUser
http://pear.php.net/package/LiveUser/download/
If you were to consider codeigniter, check this out: http://codeigniter.com/wiki/Category:Libraries::Authentication/
This tutorial is a bit on the old side, but it is one of the best out there and is very well done. There's no framework, it's just plain old good OOP PHP.]1 The code is available for download on the Tut.
It's well written, includes Cookies, and has a robust back end for user admin.
If the libraries you find do not apply, many of the concepts I presume you'll look into involve either combining PHP and LDAP, and/or PHP and the Apache authentication modules.
Your authentication requirements should also respect the principles of defense in depth.
Also, you might need to discover if your project requires authentication for JSON, XML-RPC, or REST APIs that could be operated by non-browser clients.
As it currently stands, this question is not a good fit for our Q&A format. We expect answers to be supported by facts, references, or expertise, but this question will likely solicit debate, arguments, polling, or extended discussion. If you feel that this question can be improved and possibly reopened, visit the help center for guidance.
Closed 10 years ago.
I'm an intermediate PHP developer with no experience building a large scale web application in this language (though I have in others, mainly Rails)...say I wanted to build a social networking site using PHP and MYSQL (preferably) with all the web 2.0 trimmings.
Where should I start? What sort of frameworks should I be looking at? Any up to date modern books that would outline something like this? Really anything for building a modern web app in PHP.
Ryan, there is a php framework called Elgg which is a php framework directed at social networking based applications.
A whole list of them:
Top 40 Free Open Source Social Networking Software
I suggest you have a look at the Yii Framework. It is very well-designed and was written with performance in mind. They've heavily focused on optimising their code for use in combination with an opcode cache like APC - no other framework has shown the same level of performance improvement when used with APC. Outside of performance, the framework also offers lots of built-in support for security (secure sessions with HMAC, SQL injection prevention, XSS prevention, etc.), forms, user input validation, caching, authentication/access control, and JQuery integration.
If you're an intermediate PHP programmer who is not experienced/confident enough to build your own framework, then Yii is a really good place to start as the code is very elegant and imho the programmer made some great design choices while writing the framework - simply reading through the Yii code makes for a great way to learn about how to design/write good PHP code.
Just my two cents...
Wikipedia has a comparison of various social network frameworks / software:
http://en.wikipedia.org/wiki/Comparison_of_social_networking_software
Several of them use PHP / MySQL.
I also saw this book on creating a social network in PHP:
Create a powerful and dynamic Social Networking website in PHP
What sort of frameworks should I be looking at?
Try a modern framework like Kohana or maybe something more engineered-OO like Zend Framework.
You also might want to consider a simple procedural framework instead of an OO framework. PHP does very, very well working at low levels.
Avoid Cake. It tries to be Rails-like, but not only do Rails idioms translate very poorly into PHP, Cake is stuck in the design era of PHP4.
People Pods may be what you're looking for. It's a PHP framework built with social networking in mind.
I'm actually doing this right now currently with Zend Framework, and it is working out fantastically well.. Zend is seriously powerful and scalable.
I've always hated doing all the initial work of creating login accounts and hashing passwords and putting stuff in place to manage SESSIONS, so moving forward with new work I plan on checking out an early revision of this project and simply forking it into whatever other site that requires logins.
I think the place to start is to really understand the fundamentals of HTTP and the tools PHP gives you for dealing with its stateless nature.
Beyond that, I would look into templating. Perhaps Smarty?
Finally, all of the normal MVC design patterns stuff apply equally to PHP, and there are lots of implementations if you'd like to use something off the shelf. You might want to check out Cake, if you need a framework.
As it currently stands, this question is not a good fit for our Q&A format. We expect answers to be supported by facts, references, or expertise, but this question will likely solicit debate, arguments, polling, or extended discussion. If you feel that this question can be improved and possibly reopened, visit the help center for guidance.
Closed 10 years ago.
In the jungle of frameworks out there, I've come to the conclusion that I cannot simply decide on a framework without considering the type of application / site I want to create. I think I need a little help with determining this one.
This site is graphics heavy, with all of the content presented in a small <div> in the centre of the page, surrounded by graphics. The graphics around it should preferably be loaded only once.
The site will allow users to log on with their account and choose from a number of pre-made food recipes, or create their own. Then they can press a button to have the site generate a week or two of dishes.
The users will need their own control panel where they can customize stuff as wallpaper, dishes, labels etc. As well as browsing recipes, adding ingredients, and looking up which dishes they can create with the ingredients.
As mentioned, all of this data is supposed to be presented inside a square in the centre, so we need a system of jQuery panels. I was thinking of dynamically adding content to this square as needed. For example, emptying the content and adding new content to it when clicking links, etc.
We don't need any community per se; the possibility for discussion can be explored in a separate, external site.
I should mention I am more of a designer than a programmer. I get stuff pretty easily, but fear I don't have the capacity to create a framework like this from the ground up. I do know a bit of Visual Basic, but I'm not so good with C# syntax. I've never even touched PHP, but my partner has. He's also somewhat familiar with Java.
Basically, we need a framework that's easy to understand and get up and running.
I rolled my own framework based on http://kissmvc.com/. It allows you to basically do what you need in PHP but gives you an easy MVC framework to do it in. You don't have to learn the specific syntax to Zend, Cake, Code Ingiter or Kohana, all of which I played with before I found kissmvc. Based on a blog post by Rasmus, it was all the direction I needed and I love what I have now for reasons #animuson mentioned.
Rasmus' post: http://toys.lerdorf.com/archives/38-The-no-framework-PHP-MVC-framework.html
From what you write, I would say all "big, famous" frameworks will be able to do this fairly "easy"... So You should really define a few prototype tasks and check out a few of the frameworks. You should be able to solve this using, CakePHP, Symfony, CodeIgniter, Yii, Zend, or any other framework, so it is better to do some real testing.
You might look for a framework that has a tight integration to jquery, but this should not be a showstopper, since you should be able to implement this in almost any framework.
You might also consider footprint and execution time, and find a framework that performes well and is not too cpu heavy (read Yii or CodeIgniter for instance).
Good luck in the search
Ultimately if you want it to fit your needs you need to build your own framework, otherwise there will always be limitations. Keep in mind that there is no framework that you can simply install and tell it to do these things, you are going to need programming knowledge of how the framework works in its entirety and how to program your custom pages to work with those features. I found it easier to just build my own framework. That way I always knew exactly what everything did and if I needed something additional, I could easily add it in the correct spot without doing much thinking on it.
A framework is only the base materials and functions you need. If you're looking for something like a pre-built website such as PHP-Nuke or a forum system, you're looking for a content management system, not a framework. A framework generally comes with absolutely no pre-built pages. Might I add that some content management systems do come with their own framework and some use existing frameworks from elsewhere.
So, we basically need a framework that's easy to understand and get up and running.
well as far as the above statement is concerned you may want to have a look at cakePHP framework.
You will easily find help on cakephp framework on stackoverflow and cakephp google group. Response will be quite fast on both the sites.
You will need to go deeply through the documentation of every framework that you plan to use because with a functionality that you are planning to built would require you to study the framework quite well.
With cakephp you will be able to create CRUD (create, update, delete) operations quite easily with less effort, but for further functionalities you will have to study it's documentation and keep your cool while you learn it :-)
I have always found plain php to be all the framework I need.
PHP itself has all the features provided by the other frameworks
A superb templating engine, database access, parsing, and control logic.
The great thing is all these features implemented in a single unified component called "php".
The main problem is you need discipline to separate presentation, navigation, busines logic and database/persistence handling. You can have sql statements mixed in with your html, you can emit html directly from an sql statement in fact you have complete freedom to implement all the known anti-patterns and invent some of your own.
The "Java" and "Perl" frameworks generally provide things like request handling, template handling etc. which are missing from the basic language, but, these features are built into php. Most of what the "php" based frameworks do is force you into (a very sensible) MVC design pattern and save you a tiny bit of coding.
As it currently stands, this question is not a good fit for our Q&A format. We expect answers to be supported by facts, references, or expertise, but this question will likely solicit debate, arguments, polling, or extended discussion. If you feel that this question can be improved and possibly reopened, visit the help center for guidance.
Closed 10 years ago.
I am mainly looking for good development practices specially when working in conjunction with mysql. I searched through the questions but could not find any related questions. I would appreciate if some one share their practices and wisdom gained through experience.
Apart from some coding standards, I am also looking for design standards and common architectural practices.
Background: I started my career with Java, and over the years I moved to C#/.NET space. I have been practicing architect for over 3 years now. Just added this to give some idea to people.
I would suggest that you familiarize yourself with the history of PHP, I know that doing so has given me a much greater appreciation of what PHP is today and where it has come from.
In short, PHP was written by Rasmus Lerdorf to provide simple wrapper functions for the C code that was actually doing the heavy-lifting so that he could have a simpler language / syntax for writing templates that needed to behave dynamically. The growth of PHP and the community which surrounds it is best described as organic. And much like other things that grow organically, its more than a little messy, asymmetrical, and downright non-congruent.
Once you understand PHP and its community, you need to embrace PHP for everything that it is and everything that it is not. This idea was best presented by Terry Chay in his article PHP without PHP. He's specifically talking about the concept of funky caching, but he captures the concept of coding for PHP as if it were PHP and not (insert favorite language here) better than anyone I've ever seen. In other words, don't try to make PHP into Java, C#, Ruby, etc because if you do you'll fail and you'll hate your life.
Take a look at
How is PHP Done the Right Way?.
I must say that you must first, last, and always avoid the tendency of most beginning PHP developers to use the spaghetti-code anti-pattern. In other words, if you find that you're writing code that contains sql queries, manipulation of data, validation of data, and html output all in a single php script, then you're doing it wrong.
In order to avoid this, it will be helpful to learn something about the nature of web-oriented design patterns. This of course precludes a familiarity with object-oriented programming. But once you've learned the basics of object-oriented programming in PHP, study the MVC design pattern. You don't have to implement this exactly but using the basic ideas of Model-View-Controller will allow you to avoid the blob script problem that most newbies tend to create.
On this point, I would strongly recommend that you take any code snippets you find on the web with a grain of salt. And even if you find it in a book you'll have to consider how old the book is. PHP as a language has advanced quite a long ways and you can't just take code samples at face value because, depending on their age, they may be using workarounds that were valid in 3.x or 4.x but simply are no longer necessary with newer features.
One great thing to do is to study the various frameworks out there. Evaluate what you like and what you don't. Maybe even work up each of the quickstarts that are provided with the framework documentation so that you can start to get an idea of what you like and don't like. And I would strongly recommend that you review the code from the frameworks as well as several other open-source projects so that you can get a feel for how others do things in PHP. Again, take it all with a grain of salt because every PHP developer has their own pet peeves and nuances and none of us is right all the time. In fact, most of the time with PHP there are going to be several pretty good ways to do something.
If you want to get a better understanding of the patterns that are being implemented by the frameworks and are commonly thrown around in the common vernacular on SO, I would suggest that you read Fowler and GoF. They'll teach all about the basic design patterns you'll use in your development efforts.
Specifically watch for the following:
Function files that contain LOTS of functions. This is most likely representative of a need to either put functions directly in the scripts that need them or it may also indicate an opportunity to create some more generic functions that can be made to fulfill the roles of a couple of highly specific functions. Of course, if you're building cohesive, well-encapsulated classes you shouldn't run into this problem.
The do everything class. This is a blob anti-pattern and is really nasty. In this case you need to identify where cohesion and encapsulation are breaking down and use those points as opportunities to break up the class into several smaller, more maintainable classes.
SQL queries that don't use parameterized queries or at least escaped parameters. Very, very, very bad.
Any instance where validation is not being performed or is only performed client-side. When developing for the web, the only way to keep your site and your users safe is to assume that everyone else is a black hat.
A sudden obsessive desire to use a template engine. PHP is a templating language. Make certain that you have clear reasons for adding another layer onto your website before using a template engine.
For further reading please look at the following:
PHP Application Design Patterns
Defend PHP -- useful to give you an idea of the most common criticisms.
Security of strip_tags and mysqlirealescapestring
What should Every PHP Programmer Know
How to Structure an ORM
Best Way to Organize Class Hierarchy
Main Components / Layers of PHP App
Why use Framework for PHP
Recommended Security Training for PHP
Use a coding standard.
Use unit testing. PHPUnit and SimpleTest are the major xUnit systems in PHP.
Be object oriented.
Use version control. Any version control, just use it.
If applicable, use a framework. Zend, CodeIgniter, Symfony, and CakePHP are the major ones.
If no framework, at least use an ORM. Propel and Doctrine are the major ones.
Document. Heavily. Use PHPdoc or similar.
There are a wealth of tools out there for PHP. Please use them, and write good maintainable code. You'll make everyone happier.
Use PDO or mysqli. Using one of these will give you prepared statements, which are safer and more efficient. I can't believe how many examples and tutorials I see using the ancient mysql interfaces. PDO would also make it much easier to switch to a different database system, should you decide to try postgres for instance.
You might look into using Doctrine (http://www.doctrine-project.org). It has a bit of it's own learning curve, but provides very convenient functionality. The handiest parts, for me, are the table creation/test data loading functions. Personally, I prefer to write my own SQL and execute it with PDO, and not use an ORM much in production.
Mainly, learn about SQL and MySQL. http://www.kitebird.com/mysql-book/ this book is excellent. The PHP aspect isn't very intense; PDO takes care of most of it.
Zend Framework's "Coding Standards for PHP" is good starting point. Check also this post.
Your from a Java background, and much of the OO stuff in PHP is very Javaesque. This means many of the design patterns you (hopefully) learnt in Java also apply (to a lesser extent) in PHP. An example for database access would be the DataMapper pattern.