20 Feb 2007

Faffing About With Frameworks

Over the past few months I’ve been evaluating server-side coding frameworks for use in malevole and a few other projects. Basically, a framework provides an extra layer of abstraction to make common tasks easier and let you write clearer code, but you generally pay a price in terms of performance, flexibility and dependencies, so it’s a choice you have to make with care.

If I was setting up a team of people to produce a series of larger projects I suspect I’d opt for the Python-based Django, but to avoid hosting/configuration hassles and command-line faff I decided to stick with PHP for now. Code Igniter seemed ideal, but within minutes of starting a proper test application there were problems: I found a few obvious bugs, then noticed awkward quirks and limitations. Although there’s a lot to like, it wasn’t quite right, and the other frameworks (Zend, CakePHP, etc.) seemed either immature or cumbersome.

So I finally embraced my Not-Invented-Here tendencies and created yet another MVCish framework, with the following must-haves:

• Basic server requirements (PHP5 with minimal add-ons and common settings)
• No code generation/scaffolding or command-line stuff
• Clean and simple structure/syntax
• Flexible URL handling
• The ability to cache individual areas of the page
• Inherent XSS protection by HTML-encoding all data passed to views (can override to pass markup)
• Inherent CSRF protection by building checksums and expiry into forms
• Inherent SQL injection protection by using parameterised queries (possibly add active record-type abstraction later)
• Forced vetting of GET/POST/cookie inputs
• Streamlined form validation
• Full UTF8 support

After a couple of days’ work here’s how the malevole home page controller code ended up:

<?
class home extends Controller
{
  function index()
  {
    $pageData = array
    (
      // title, description, etc.
    );

    $this->views->setContentType('text/html');

    $this->views->add('home');
    if (! $this->views->home->renderFromCache())
    {
      $this->views->home->addParams($pageData);
      $this->models->add('weblog');
      $this->views->home->addParam('notes', $this->models->weblog->getLatestEntries());
      $this->views->home->renderAndCache();
    }

    Common::userDetails();
  }
}
?>

The framework needs more work on form validation and sessions, but is otherwise complete and working really well. I doubt the world needs more PHP frameworks though, so it probably won’t get released.