I’ve been looking into the CodeIgniter PHP framework (CI) for a couple of weeks and want to document some of the surprises and caveats I have discovered. Coming from a non-framework background, I was surprised at how similar the CI conventions are to my own pseudo “framework” that I use on my projects – so I guess I must’ve been doing something right so far!
This is what i’ve learnt.
CI is backwards compatible with PHP4
Which, in my opinion is something they should rectify – ie. retire support in the next major release and move forward. From what I have read about CI vs Kohana (a CI fork), it seems that CI is sacrificing pretty autoloading simply because they remain backwards compatible.
Edit: This is actually incorrect, as of version 2.0.2 the minimum required version of PHP is 5.1.6. Thats to Dale for pointing this out in the comments.
The MVC structure is superb, however…
Alot of tutorials i’ve watched lean towards using helper functions within views, such as for forms. From a developer perspective thats fine, however you can imagine a designer having problems with form_open() when he wants to add a simple class or ID. The upside is that they are just helpers – if you don’t like them, don’t use them.
Speaking of functions
I was surprised to discover the folder full of procedural helper functions. This is nice in terms of using functions anywhere inside the application, although it does seem a little out of place in an OOP framework. It would be nice to see these converted into classes.
Default session security is awful
Usually a PHP session’s data is stored server side and only a small cookie is kept client side to track a user session. However in CI, the session data is stored client side, which means that a simple alteration in firebug later and you potentially just gave yourself admin privileges or discovered some other potentially sensitive information. It should be noted that an encryption key can be used to protect session alterations, but having to add 3rd party classes to do conventional PHP session storage left me gob smacked.
Edit: Eric Barnes correctly pointed out that you can also securely store sessions in the database out of the box.
Using dashes instead of underscores in urls…
Is alot less trivial than you might think; In fact, i’m still trying to figure that one out.
CI is the logical introduction to frameworks
for the curious developer – the documentation is quite good and it has a strong community. The common view seems to be that some other frameworks (Zend, Symfony) are better for high end and complex application development, but CI has the easiest learning curve, and it does enough to satisfy most requirements.
Having said that – learn PHP properly first, then learn a framework.