
Yii Framework 2.0.0 GA - thefsb
http://www.yiiframework.com/news/81/yii-2-0-0-is-released/
======
kijin
> _Yii 2.0 helps you to write more secure code. It has built-in support to
> prevent SQL injections, XSS attacks ..._

This is just a minor complaint, but it's so pervasive among web frameworks
that I must complain yet again.

According to the documentation for Yii 2.0, the recommended way to output a
variable to a web page is:

    
    
        <?= Html::encode($var) ?>
    

Not the PHP standard:

    
    
        <?= $var ?>
    

Because if you do the latter, you will be vulnerable to XSS.

But why does every framework (and many template engines) insist on telling you
to call a specific function in the template in order to get XSS protection?
HTML escaping should be turned on by default, by whatever means possible.

The simplest template syntax should also be the most secure, not the other way
around. Because sooner or later, somebody is going to forget to call that
function.

Auto-escaping also saves a lot of clutter in templates, since there are
usually only a few places in any given page (usually the content of a post)
where HTML content needs to be printed unescaped (but filtered, of course).

Some frameworks escape everything by default and only allow you to print raw
HTML if you add a "noescape" flag. This is better, but some of them only do
this if you turn on some sort of "autoescape" flag at the top. This is just as
bad, since it is insecure by default.

One might point out that not all escaping is the same, since different
escaping rules apply in different contexts. But do we really have no way to
detect, when parsing and compiling a template, which context we're currently
in?

XSS protection in modern template engines should be opt-out, not opt-in.
Otherwise they have no right to claim XSS protection as a feature.

~~~
krapp
Twig, at least, escapes by default. Laravel's Blade templates don't, unless
that's changed recently.

But the price you pay for that of course is no longer working directly in PHP
but a templating language with its own syntax (for instance, array shorthand
in Twig templates [] has worked since I don't know when but only recently has
PHP gotten around to supporting it) which has to be parsed, and partially
compiled into PHP classes.

~~~
kijin
Yeah, frameworks that use raw PHP files as views at least have that as an
excuse. But the cost of using a simple template engine with good caching
support seems to be minimal compared to the benefit of XSS prevention.
CodeIgniter, for example, can convert short tags to full PHP tags if short
tags are turned off in php.ini. They might as well wrap htmlspecialchars()
around every {$var} while they're at it.

Non-PHP frameworks, on the other hand, really have no excuse.

------
AlexMuir
I have a lot of fondness for Yii as it introduced me to MVC and moved me from
a designer into a developer. When I went on to learn Ruby and Rails everything
seemed to click together and I recognised quite a lot of what Yii had taken
from Rails.

That said, I get the sweats when I have to wade into an old Yii-powered app
that I wrote. Entirely faults of PHP (lack of symbols, array(...)
declarations, semicolon-itis) and my lack of experience back then (no testing,
fat controllers). I do miss the simplicity of deploying a Yii app, and its
speed compared to Rails. The creator, Qiang, is a PHP whizz.

~~~
coldtea
> _Entirely faults of PHP (lack of symbols, array(...) declarations,
> semicolon-itis)_

Sorry, but those are entirely trivial syntactic issues, and not very
interesting at that either...

~~~
bigtunacan
Symbols are not a syntactic issue. They are an optimization issue. They do not
have the creation overhead of objects and they exist across the application in
memory without the lookup overhead of a constant (PHP's closest cousin to a
symbol).

Lisp, Erlang, and Prolog (sure some other languages I've missed) have direct
equivalents to Ruby symbols; they are sometimes referred to as symbols other
times as atoms.

Saying they are a trivial syntactic issue just means you don't understand what
symbols are.

~~~
lmz
It's a bit silly to worry about the overhead of strings over symbols when the
PHP environment itself is not persistent across requests.

~~~
bigtunacan
That seems to be missing the whole point of symbols/atoms. They are uniquely
identified with an O(1) lookup time and persist in memory after the initial
creation. Symbols persist across multiple requests; this is a big part of why
they are so beneficial.

~~~
girvo
I'm not disagreeing with you, but

 _> Symbols persist across multiple requests; this is a big part of why they
are so beneficial._

That is still not really useful, PHP throws the entire execution context away
after the request has finished. There _is_ no sharing nor anything to persist
unless you're doing so with an external data-store.

~~~
windowsworkstoo
Wait, isn't that just if it's used/configured as a CGI? If you use it as a
webserver module (Apache/IIS/Lightspeed), the execution environment can
persist in a similar way to an app domain, right?

~~~
coldtea
Nope, it's still cleared at the end of the request (as it should be, this is
not a bug or mis-feature, and is actually one of the things PHP got right for
scalable apps).

What doesn't happen compared to CGI, IIRC, is loading the whole PHP engine
from the start for every invocation. But no request specific memory is ever
shared between invocations.

------
rdoherty
Out of all the PHP frameworks I've used (CakePHP, Kohana, Laravel, Symfony) I
have to say Yii is the one of the best.

It's hard to describe why, I think mostly because it feels like it was built
and designed by one person who had a lot of experience with other frameworks
and knew PHP inside and out.

~~~
bigtunacan
Never was a fan of Yii myself. The one PHP framework I really do like though
is the Fat-Free Framework.

~~~
girvo
FFF is pretty rad, as is Slim framework. I like Slim so much I've been cloning
it for Hack[0]. With the next week off work, I'm looking forward to getting it
close to parity!

[0]
[https://github.com/LeanFramework/Lean](https://github.com/LeanFramework/Lean)

~~~
bigtunacan
Cool. My personal preference is towards these leaner micro-frameworks in
general. I've looked at Slim, seems cool, but never worked with it. Good luck
on your project.

------
SkyMarshal
_> Yii 2.0 helps you to write more secure code. It has built-in support to
prevent SQL injections, XSS attacks, CSRF attacks, cookie tampering, etc.
Security experts Tom Worster and Anthony Ferrara even helped us review and
rewrite some of the security-related code._

+1 for opinionated security at the framework/platform level rather at the
programmer level, such that security features can be evolved, refined,
debugged over time and pushed back upstream, rather than reimplemented from
scratch each new project.

------
adoming3
I'm a Yii fan but it takes some time learning the "yii" way of doing things
i.e. structure, naming conventions. I decided to move on though because the
community and module ecosystem are small.

~~~
samdark
You've meant "were small in 2008"?

------
knut
If you're serious about web development in PHP try Yii, chances are good
you'll fall in love! If not love at first sight, give it second chance. It's
really good inside :)

You can jump start using the new app templates:

1) [https://github.com/yiisoft/yii2-app-
basic](https://github.com/yiisoft/yii2-app-basic) \- simple app

2) [https://github.com/yiisoft/yii2-app-
advanced](https://github.com/yiisoft/yii2-app-advanced) \- if you need
multiple interfaces (frontend/backend/api)

------
pestaa
If your namespaces are all lowercase after adopting PSR standards, you haven't
really adopted the PSR standards.

~~~
phpnode
none of the PSRs specify that the namespace name should be capitalized.

------
rupom934106
Currently I working into the Cakephp and Django framework. Now I wanna to work
in yii. which is the best between Yii and laravel in large concept
application. anyone tell which is best framework for large application in
Cakephp, Yii, laravel. please describe.

~~~
samdark
What do you mean by large _concept_ application? If you mean large or famous
projects in production, Yii 2.0 was just released so there aren't many.

For 1.1 there are some:

[https://www.facebook-studio.com/](https://www.facebook-studio.com/),
[http://2gis.ru/](http://2gis.ru/), [http://itop.fm/](http://itop.fm/),
[https://www.humhub.org/](https://www.humhub.org/),
[http://www.x2engine.com/](http://www.x2engine.com/),
[http://zurmo.org/](http://zurmo.org/),
[https://www.rebilly.com/](https://www.rebilly.com/),
[http://buildwithcraft.com/](http://buildwithcraft.com/)

------
riyaskpktni
Yii 1 is one of the best framework i used.

------
mrityu_yadav
Currently i'm working with Yii 1. Its good to know that Yii 2 is released.
Thanks to all Yii Team!!

------
mconyango
This is great news.A lot of thanks to YII Dev team for making the magic
happen!

------
logudotcom
YII is awesome and speedy framework to build. I love to work. I yet to start
2.0.0

------
logudotcom
Really it is awesome and very quick.. I love to work

------
gesman
vs. Laravel? anyone?

~~~
timetraveller
A matter of taste. Try both and see which one you like best for yourself.

~~~
kyle_t
Agreed. They are both solid frameworks and I've used both fairly heavily. I
personally find Laravel more 'natural'. I have to refer back to the
documentation in Yii far more often.

------
gremlinsinc
Yii, feels more complicated, and rough around the edges to me...than
laravel... There's just a lot of things that make sense to me in Laravel.

~~~
phpnode
Yii is actually incredibly polished, it's not rough around the edges at all.
It is not particularly easy on newcomers though, which is the main reason it's
not more widely known.

If you put the effort in to learn it thoroughly, you'll be rewarded with an
incredibly productive platform that is great not just for getting apps out of
the door super quickly, but also provides a secure, scalable foundation which
is easy to grow and maintain.

