[FX.php List] [OFF] Someting to show at DevCon CWP User Group? ->
tony_white at twdesigns.com
Sun Jul 14 20:07:52 MDT 2013
Hi Dales, thanks for the thoughtful answer.
Please see in-line replies below...
On 6/20/13 3:04 PM, "Dale Bengston" <dale.bengston at gmail.com> wrote:
> Okay, Tony. I'll bite on frameworks.
> Yes, frameworks often take more steps to do something like create a simple
> form. Sometimes. But there are payoffs that make it well worth the effort of
> learning that new way of doing it. I use the Cake framework, and the first
> time I coded a form it was utterly alien and incredibly frustrating to get it
> working. But the upside is Cake builds in all sorts of security features to
> protect against SQL injection and cross-site submits. (I won't try to explain
> how they do it; Cake's documentation can do a far better job.)
I have been reading the docs for 4 of the well know frameworks, 3 in the PHP
world and 1 in the ruby world (RoR) to learn from the collective thinking of
many. I thought this page was an interesting overview on security issues:
> I'll freely admit that this was really difficult for me, after writing my own
> PHP code for ten years. But once I got past the frustration and learned enough
> to be a functional coder again, I will never look back. I am completely freed
> up from the menial work of hard-coding paginated search results, sortable
> tables, form validation, AJAX calls, jQuery functions to bind clicks, on and
> on. I can focus on the things that my clients are really looking to me for,
> like overall usability.
Lots of pros for sure.
> An added benefit of learning a framework like Cake is it's forced me to
> completely understand and embrace MVC. An ancillary benefit is that every
> action on a site is contained, and there is very little risk of something
> breaking somewhere else when I do code modifications.
Are running PHPUnit or something like it?
> But the big issue for me, and the reason I will never go back to my own
> self-written framework, is security. There is just no way a solo coder like me
> can even stay on top of security threats, let alone address them all. But a
> group of highly-motivated experts contributing to an open-source project like
> Cake can do it. I choose to stand on the shoulders of these giants.
This was an interesting podcast episode that talked about an exploit of a
vulnerability that was discovered in Rails.
Since late December, there¹s been a number of very, very critical issues
found on Ruby on Rails. The largely stemmed to one root cause which is
de-serializing YAML, which Rails uses a lot internally, is insecure. You¹re
probably familiar with the YAML from database.yml where you have your
production and test and development settings for your databases. But it
turns out that Rail uses the same format to de-serialize other things like
JSON in some instances. And YAML is a very powerful language, it lets you
de-serialize into arbitrary Ruby objects.
It is interesting to me how a framework can sometimes lose track of the
magic, slip up and leave an opening. Ruby on Rails (RoR) was quickly
patched. Still there is food for thought in that episode.
> Yes, it's a struggle as an experienced coder to learn someone else's methods
> and conventions. But in the long run, it's worth the struggle to reap the
> benefits of a well-written, well-maintained framework.
I agree that there are time where using a framework is the best choice.
> I hope that helped,
> PS I am not a Cake zealot; it is what I use but there may be other frameworks
> that are more suited to your projects.
> On Jun 20, 2013, at 11:02 AM, Tony White <tony_white at twdesigns.com> wrote:
>> [FX.php List] [OFF] Someting to show at DevCon CWP User Group? -> web
>> Hi All,
>> First off, I should say that on the topic of web frameworks, I have more
>> questions than answers.
>> That said, I have been researching web frameworks both in the PHP world and
>> in the Ruby world and have some thoughts on the matter.
>> I have to confess a bias...I prefer to code as ³close to the metal² as I can
>> for any given environment. I want the shortest path from point A to point B,
>> unless there is an advantage to inserting more hops along the way.
>> There are lots of blog posts (many of which I¹ve read) that talk about the
>> advantages of using a framework versus not using a framework.
>> There are also many blog posts on the web comparing procedural PHP to
>> object-oriented PHP.
>> There is also a lot of documentation about how different frameworks work. I
>> have read through much of the documentation for CodeIgniter and ZEND.
>>> From Joel Shapiro a while ago:
>> Having said all that...I¹m currently of the opinion that it is sometimes
>> correct to use a web framework and sometime correct to avoid using a web
>> Likewise it is sometimes correct to use object-oriented PHP and sometimes
>> best to use procedural PHP.
>> Any given choice should be guided by pros and cons and how they affect a
>> particular situation.
>> I¹ll start off by making the assertion that the web frameworks have greater
>> complexity. This complexity must be balanced by benefits in order to justify
>> the cost.
>> For an example of complexity, have a look at what¹s involved using the ZEND
>> framework to add form elements to a web form...
>> and compare this to building a form manually:
>> Most people would agree that it is more complicated to use a web framework
>> for this task.
>> This gets us to the question, ³what are the advantages to balance out this
>> type of complexity?²
>> The idea behind a web framework is that it solves a number of recurring
>> problems that will (or might) come up in any given web project. Examples
>> * Protection against cross site scripting attacks
>> * The ability to implement unit testing (PHPUnit, RSpec, etc.) to protect
>> against changes breaking code, for example on large projects with multiple
>> team members.
>> * Protection against web form spoofing.
>> * Dynamic database query generation within an Object-relational mapping
>> *** I wish I had a comprehensive list of all the things that a web framework
>> gives you. Please feel free to add to this list. Additions appreciated.
>> A web framework is a collection of code, some of which which will be useful
>> for a given project and some of which will not. There might be advantages in
>> deploying only the pieces of code that are needed for a given project and in
>> the simplest possible way.
>> For example, in the Ruby world, the 2 popular frameworks seem to be Ruby on
>> Rails (RoR) and Sinatra. Ruby developers talk about using RoR in some cases
>> and Sinatra in other cases where they don¹t need the overhead of RoR. This
>> method of starting with the amount of code that¹s appropriate for a project
>> seems like a good idea. There is also the question of how easy is it to
>> modify a framework for those cases where you need to color outside the lines.
>> The most important question seems to be what problems does a framework solve?
>> If we can answer that question, it will help us make the best decision of
>> when to use a framework and when to keep it simple.
>> What do you all think?
>> All the best,
>> Tony White
>> Tony White Designs, Inc.
>> Tel: 646-714-2797 (Google Voice)
>> Tel: 718-797-4175
>> tony_white at twdesigns.com <x-msg://firstname.lastname@example.org>
>> http://www.twdesigns.com <http://www.twdesigns.com/>
>> FX.php_List mailing list
>> FX.php_List at mail.iviking.org
> FX.php_List mailing list
> FX.php_List at mail.iviking.org
More information about the FX.php_List