What I Need in a PHP Framework

March 25, 2015

Most PHP frameworks provide a common set of capabilities to help developers build good applications more quickly. They often include the following.

  • A database abstraction.
  • A request and response abstraction.
  • A templating system or method to use existing templating system.
  • MVC-orientation.
  • HTML Form abstractions.
  • Filters.

Those are all pretty simple (not easy, but in contrast to complex) to design and implement for an experienced software developer. While highly useful, they don't address directly the things which are actually hard to get right or are complex.

These hard or complex areas of functionality require a great deal of depth and breadth of experience to get right. Their best practices are developed not by one guru, but by an entire community of people. The best example is security. Security can be broken down into quite a few major sub-categories, which in itself begins to show just how hard an area it is to get right.

There's encryption of data, user authentication, user authorization, CSRF defense, XSS defense, SQL injection defense, and probably a lot more -- precisely showing my personal lack of expertise in this area.

Database abstractions (above) often provide a good deal of SQL injection defense. Often HTML form abstractions (above as well) improve upon that, and also provide CSRF defense capabilities. But not always.

Thus a truly useful and powerful PHP web framework would attempt to provide maximal help in solving the hard problems. The expertise of many people in an open-source community building a framework is more likely to solve hard problems correctly.

Using such a framework would greatly benefit a web application development team. The application team is required to have business domain knowledge to implement their solutions, in addition to their technical skills. They have limited mental bandwidth to be expert at everything. Just as one should probably not write one's own encryption algorithm, one should probably not write one's own suite of web security routines.

I want to find a PHP web framework which helps me use best practices for the hard problems: for security, authentication, session management, caching, and perhaps others. A good DB abstraction, SQL builder or HTML form builder would be nice. But if most senior developers had to, they could build decent versions of those from scratch. That's not true of the hard problems.