January 30, 2009 at 02:30Comparison of PHP frameworks: CakePHP, CodeIgniter and Yii
Not so long ago a post on Habré skipped the appearance of a new PHP-framework called Yii.
After acquaintance, this framework seemed interesting, promising and worthy of attention to me.
Daniel Carrera recently posted on his blog an interesting article called “Comparison of PHP frameworks” about comparing CakePHP, CodeIgniter, and Yii.
In order to popularize Yii among the Russian-speaking (and poorly-English-reading) population, I decided to make a translation.
Caution: there are really a lot of letters.
-
-
It's hard to judge the simplicity of the framework before creating the application, but I can give a few comments based on the documentation:
CakePHP
Installation: I had problems with Apache that were not documented. I had to edit three .htaccess files to add “RewriteBase” commands.
Use: Helpers, Actions, Behaviours, Layouts, Components ... Do I really need to know all this to write my program? Cake seems to have the
highest entry threshold and, for the moment, I don’t see any special features that other frameworks would not provide.
All frameworks come with default layout and CSS. For testing purposes, I had to get rid of this so that each framework does only what it needs. In the case of CakePHP, it turned out to be very difficult to find out which design files were used. It was an illogical place (inside my application directory).
CodeIgniter
Installation: Trivial. Just unzip the files and you're ready to go.
Usage: CodeIgniter seems simple enough. The documentation gives no reason to doubt it. My hello-world application was ready much faster than when using Cake. In general, the entry threshold for CI is lower.
All frameworks come with default layout and CSS. For testing purposes, I had to get rid of this so that each framework does only what it needs. In the case of CI, this happened automatically when I created a new view. CI does not insert a design unless asked to do so.
Yii
Installation: Easy. You must run yiic to create the root web directory. There is also a PHP version (yiic.php) which is good if you do not have ssh access. Yiic is well documented.
Usage: Yii also seems simple and straightforward, perhaps a little less than CodeIgniter. My "hello-world" was created almost as fast as in the case of CI.
All frameworks come with default layout and CSS. For testing purposes, I had to get rid of this so that each framework does only what it needs. With Yii, it was very simple. The design file is in a logical place and it is well documented.
I am happy to report that not one of the frameworks requires learning a template language such as Smarty. PHP itself is a great template engine. I used Smarty for several years and, frankly, I think that it has more problems than benefits. I note that Yii and CodeIgniter come with
an optional template engine, especially for those who like it. But, as I said, this is optional.
Result: CodeIgniter seems the simplest, followed closely by Yii.
I will postpone the final verdict until I write prototype applications in the second part of the testing.
-
Please be critical. The documentation usually starts to look a little different when you are actually writing an application. If it is inaccurate or incomplete, you will not know about it until you start work. Until now, the only application I wrote for the tested frameworks is hello world.
Cakephp
My first impression was positive. The documentation looks complete and easy to read. The tutorials were pretty hard to spot (they ended up in the Example Applications section). When I wrote my “hello world”, I encountered a problem (404 error) and this was not described in the documentation. I had to edit the .htacces files to solve this. I would like to see the "Troubleshooting" section in the documentation. In addition, it was very difficult for me to figure out how to get rid of lotions (header, footer, styles) that are present in Cake by default.
CodeIgniter
The first impression was again positive. Note that writing “hello world” took me a lot less time than with Cake. I think the reason is that CI is simpler, but I also think that the documentation has influenced it.
Yii
And again, my first impression was positive, I wrote hello world very quickly. After that, I got rid of additional lotions that Yii connects to make the page pretty. Finding how to do it was very easy and fast.
Result: At the moment, it's hard to judge.
All of the frameworks seem to have good documentation. I had a couple of problems with Cake, but so far I can’t say anything firmly.
-
In this part, I want to discuss two performance tests. One was conducted by me, the other by the Yii team. I think both are worthy of attention.
Key similarities:
Both tests try to estimate the minimum overhead of each framework. The goal of the framework is to bring “Hello World” and nothing more.
Key differences:
I used the default configuration of each framework. The Yii team tried to optimize each framework to display Hello World as quickly as possible.
The test from Yii only performs die (). Mine uses MVC: the controller sets the variable to “Hello World”, then it is passed to the view for output on the main HTML page.
Yii used a dedicated server for tests, and I used shared hosting, where I am going to host my real application.
So the Yii team tests are more technically honest, but mine better reflects real-world behavior.
As always, all tests should be taken critically.
Results are expressed in Requests Per Second (RPS), so higher values are better.
Test Details:
This page on the Yii website describes their test. In my test, each framework contained the following code in the view:
Where is the $ message variableprovided by the controller, and its value is “Hello World”. The number of requests per second was determined using the ApacheBench utility with the following parameters: "ab -t 30 -c 10 URL". My test environment is shared hosting with the following parameters:
* CentOS 4 Enterprise Linux.
* Apache 2
* PHP 5.2.6
* CPU: Quad-Core AMD Opteron (tm) Processor 2350
* Memory: 8GB
Conclusions: Yii and CI both stood out in terms of speed. Perhaps Yii has some advantage, but it’s hard to say for sure.
-
CakePHP
CakePHP is very tied to conventions. He expects from you a specific naming of files, classes, databases, methods, etc. I can’t say for now whether this will be a problem for me, but this can happen.
CodeIgniter and Yii
CodeIgniter and Yii both look quite flexible. Looking at the documentation, it will be problematic to say that one is definitely more flexible than the other.
Both use the MVC pattern, but do not seem very strict in this regard. CakePHP is much more dependent on conventions than Yii and CI.
Some examples of similarities and differences:
* Each of the frameworks expects you to follow the controller naming conventions.
* CakePHP requires creating a model, database, and table, even if they are not used in your program.
* Cake itself invokes the view automatically, based on the name of the controller. In CI and Yii, you invoke the view explicitly, so Cake's conventions more prevail over the configuration. In turn, in CI and Yii, you can call multiple views.
Here is a sample code:
As you can see, the versions for CI and Yii do not seem more complicated than for CakePHP, in addition, they have an additional feature - you can upload more than one view file. For example, you can load a special header, insert a widget, etc.
Result: CodeIgniter and Yii both look more flexible. At the moment, I can’t determine which one is more flexible.
-
Security is a complex topic as there are a large number of different types of attacks. This paragraph is quite voluminous, but I will try to stick to the topic. The paragraph is divided into parts according to the capabilities of the frameworks and types of attacks.
Access Control
Preliminary information here - Authentication and Authorization .
CakePHP
I found that the access control system in CakePHP is hard to understand. A code generator (“cake bake”) is used to generate schema files and access control lists (ACLs ) - this process looks complicated. Some terms (ACOs, AROs, Requester) finished me off completely.
I expected access control to be tricky, but in Cake it turned out to be a lot more complicated than I expected. It looks quite powerful, but hard to use. I felt that I was not in control of the process and did not understand what was happening. And security is exactly what I would like to have control over and that I would like to understand well.
Quick test : I did not notice an obvious way how to strengthen password strength . The tutorial says that if you will hash passwords yourself, the application will not work.
CodeIgniter
As far as I can tell, CI does not provide access control facilities. Access control can be quite a difficult task (groups, roles, etc.) and it would be nice if the framework helped in this.
Yii
I understood the access control system in Yii much faster . I would not say that it is simple, but this is because access control itself is not easy. I would say that in Yii, the access control system is as simple as possible - but nothing more. After I read the documentation, it seemed to me that I understand the process and that I am able to change it to my needs.
Quick test : I could immediately find how to increase password strength .
Some Yii features that I like
* Flexibility: you may have access rules based on the user's IP address or request type (GET vs POST), or rules for anonymous and authorized users.
* Return URL:you follow the link, but the session is already out of date. You are redirected to the login page. You log in and the system automatically returns you to the page you were trying to get to. As for me, this is very convenient.
* Role Based Access Control : RBAC is more flexible and powerful than traditional ACLs . With the Yii framework, you can write your application without paying attention to RBAC, and use it only in cases where you need to solve a specific problem. So, the system is as flexible as it should be, but your access rules are no more complicated than what is required.
Dictionary attacks ( Dictionary attacks )
A dictionary attack consists of attempts to guess a password using a list of the most used words - a dictionary. In the case of web applications, such an attack can be very effective. The recent attack on Twitter was a dictionary attack.
There are many methods for terminating a dictionary attack: account lockout after X failed authorization attempts, time delays, CAPTCHAs. Each of them has its advantages and disadvantages. Account lockout is easy and effective, but provides an opportunity to attack denial of service: someone can make many authorization attempts, but not in order to gain access, but in order to block other users. Here is one of the methods that I like: after 5 unsuccessful attempts, you must solve the captcha in order to get additional attempts. This allows you to control dictionary attacks, DoS, and user friendliness.
None of the frameworks have tools related to dictionary attacks or denial of service problems, but I did not expect this. The real question is, can you configure the authorization method in this framework exactly the way you need it ? This is a matter of control and flexibility. In CI and Yii, I'm sure I can do this. However, I'm not so sure about this with CakePHP.
Crossite Scripting (Cross-site scripting attacks, XSS )
XSS is ahead of the buffer overflow in the ranking of the most common security issues. It works like this: Someone posts a comment on your blog and this post includes malicious JavaScript code. When you browse the blog, the code executes. Since the code is taken from your domain, it is considered a “safe” browser. This code can read your cookies, or modify the contents of the page (for example, "Session expired. Please enter your password.").
CodeIgniter and Yii come with HTML filters that can remove JavaScript code from user input. Unfortunately, CakePHP does not have such filters.
The introduction of SQL-code ( the SQL injection attacks )
SQL injection is one of the most common attacks and security flaws in web applications (comics). This occurs when the text entered by the user is interpreted as executable SQL code. For example:
Suppose the user enters the password foo 'OR 1 =' 1 . Then the query will be like this:
Since 1 = '1' is always true, the query will return a list of all users. The most common (and incorrect) solution is to escape strings with functions like addslashes () or mysql_real_escape_string () :
What is wrong with this solution?
* It is error prone, as you must remember to do this for each parameter.
* It also depends on the fact that someone can find all the possible characters that can be used for hacking. Good guys find all the holes, bad guys just find one. This is a game for losers.
Chris Shiflett shows how to inject SQL bypassing addslashes using a Chinese character. How can we know that there is no Tamil character that will allow to bypass mysql_real_escape_string ?
The right decision: prepared statements
The right solution would be to solve the problem as a whole by compiling the SQL query separately from user input, that is, using prepared expressions (in other words, parameterized queries). Prepared expressions separate the SQL query logic from user data (see here and here ).
Does the framework support prepared expressions?
Unfortunately, only one of the three frameworks - Yii - provides such an opportunity . I think the lack of prepared expressions is the most serious problem of CakePHP and CodeIgniter.
Cross-site request forgery ( Cross-site request forgery attacks, the CSRF )
Cross-site request forgery (CSRF) is used in a sense in addition to cross-site scripting (XSS) attacks. XSS abuses client trust to the server, CSRF abuses server trust to the client. Imagine that Bob is visiting a malicious site containing the following image tag:
If Bob is currently logged in to his bank page, the bank server will receive a request from Bob to transfer $ 10,000 to Eva's account.
What can be done to protect against CSRF? In addition to reducing the lifetime of cookies, the main solution is to use a secret value to authenticate any GET and POST parameters that can modify data on the server.
CakePHP and CodeIgniter do not seem to have the means to combat CSRF. Yii offers CSRF protection for POST requests by using secret tokens (you must enable this feature). To fully protect against CSRF, you must be sure that GET requests cannot modify data on the server.
Stealing cookies ( Cookie hijacking the attacks )
Cookies are commonly used to store enough significant information such as session IDs, usernames, password hashes. Theft of cookies is when a third party accesses your cookies. This can be done using XSS or a packet sniffer.
How to protect yourself from cookie theft? SSLprotects you from sniffers, and you must take measures to prevent XSS attacks. You can make cookies less significant by refusing to store significant information in them for a long time. For example, instead of storing md5 (passwd), use hashes that expire - HMAC (date, md5 (passwd)).
As far as I know, CakePHP and CI do not have any protective mechanisms against cookie theft. Yii has the ability to verify cookies, which uses the HMAC to authenticate the data contained. The attacker will not be able to change the data of the expired cookies (for example, the expiration date) without being noticed.
Of course, all this will not help you if you make stupid mistakes - storing the password in the clear in cookies, for example.
Winner : Yii
Yii has a significant security advantage, with better access control and XSS protection, SQL injection, cross-site request forgery, and cookie theft.
CakePHP and CodeIgniter are a little disappointing in this regard. Since CI is more flexible, it will be easier to add the required security features yourself.
-
There are some things that I consider necessary to mention, although they do not fall under the criteria of this test.
Prototype
CakePHP uses the Prototype library . I was dealing with Prototype. Basically, it will pollute the global namespace and may break already running JavaScript code. Thus, Prototype does not behave well with your code or other libraries.
Scheduled Releases
Yii has upcoming releases . I would like all open source projects to have this.
Input Filtering
CodeIgniter has an excellent Input classwhich performs data cleaning. It destroys the GET array and all global variables except POST and COOKIE. This feature doesn’t quite fit into my criteria, but contributes to better code, and therefore is worthy of mention. I mentioned XSS filtering in the previous section.
-
My opinion - CakePHP is undoubtedly worse than CI and Yii. The documentation is generally good, but no better than CI and Yii. I do not see any area in which Cake looks distinctly better than CI or Yii. It might be better for simple applications that do everything exactly as Cake expects. But in general, Cake is more complex than CI or Yii, and it seems like it's not worth it.
Yii and CodeIgniter are very close. They are nearly equal in performance, documentation, and flexibility — both are fast, well-documented, and flexible enough. CodeIgniter is somewhat simpler, but Yii has a security advantage. I will wait until I write prototypes of applications on each of them in order to form a final opinion.
I usually don't like comparison tables, as they simplify things too much. But I understand that people often want to see a short summary table, so I’ll provide an approximate sketch:
[1] Take it critically. It’s hard to judge the documentation before you start writing the program.
[2] CodeIgniter earns a point for XSS filtering and overall flexibility.
Original article and copyrights - Daniel Carrera, “Comparison of PHP frameworks - Part I”
After acquaintance, this framework seemed interesting, promising and worthy of attention to me.
Daniel Carrera recently posted on his blog an interesting article called “Comparison of PHP frameworks” about comparing CakePHP, CodeIgniter, and Yii.
In order to popularize Yii among the Russian-speaking (and poorly-English-reading) population, I decided to make a translation.
Caution: there are really a lot of letters.
-
Content
- Simplicity
- Documentation
- Performance
- Flexibility
- Security
- Other comments
- Summary
-
Simplicity
It's hard to judge the simplicity of the framework before creating the application, but I can give a few comments based on the documentation:
CakePHP
Installation: I had problems with Apache that were not documented. I had to edit three .htaccess files to add “RewriteBase” commands.
Use: Helpers, Actions, Behaviours, Layouts, Components ... Do I really need to know all this to write my program? Cake seems to have the
highest entry threshold and, for the moment, I don’t see any special features that other frameworks would not provide.
All frameworks come with default layout and CSS. For testing purposes, I had to get rid of this so that each framework does only what it needs. In the case of CakePHP, it turned out to be very difficult to find out which design files were used. It was an illogical place (inside my application directory).
CodeIgniter
Installation: Trivial. Just unzip the files and you're ready to go.
Usage: CodeIgniter seems simple enough. The documentation gives no reason to doubt it. My hello-world application was ready much faster than when using Cake. In general, the entry threshold for CI is lower.
All frameworks come with default layout and CSS. For testing purposes, I had to get rid of this so that each framework does only what it needs. In the case of CI, this happened automatically when I created a new view. CI does not insert a design unless asked to do so.
Yii
Installation: Easy. You must run yiic to create the root web directory. There is also a PHP version (yiic.php) which is good if you do not have ssh access. Yiic is well documented.
Usage: Yii also seems simple and straightforward, perhaps a little less than CodeIgniter. My "hello-world" was created almost as fast as in the case of CI.
All frameworks come with default layout and CSS. For testing purposes, I had to get rid of this so that each framework does only what it needs. With Yii, it was very simple. The design file is in a logical place and it is well documented.
I am happy to report that not one of the frameworks requires learning a template language such as Smarty. PHP itself is a great template engine. I used Smarty for several years and, frankly, I think that it has more problems than benefits. I note that Yii and CodeIgniter come with
an optional template engine, especially for those who like it. But, as I said, this is optional.
Result: CodeIgniter seems the simplest, followed closely by Yii.
I will postpone the final verdict until I write prototype applications in the second part of the testing.
-
Documentation
Please be critical. The documentation usually starts to look a little different when you are actually writing an application. If it is inaccurate or incomplete, you will not know about it until you start work. Until now, the only application I wrote for the tested frameworks is hello world.
Cakephp
My first impression was positive. The documentation looks complete and easy to read. The tutorials were pretty hard to spot (they ended up in the Example Applications section). When I wrote my “hello world”, I encountered a problem (404 error) and this was not described in the documentation. I had to edit the .htacces files to solve this. I would like to see the "Troubleshooting" section in the documentation. In addition, it was very difficult for me to figure out how to get rid of lotions (header, footer, styles) that are present in Cake by default.
CodeIgniter
The first impression was again positive. Note that writing “hello world” took me a lot less time than with Cake. I think the reason is that CI is simpler, but I also think that the documentation has influenced it.
Yii
And again, my first impression was positive, I wrote hello world very quickly. After that, I got rid of additional lotions that Yii connects to make the page pretty. Finding how to do it was very easy and fast.
Result: At the moment, it's hard to judge.
All of the frameworks seem to have good documentation. I had a couple of problems with Cake, but so far I can’t say anything firmly.
-
Performance
In this part, I want to discuss two performance tests. One was conducted by me, the other by the Yii team. I think both are worthy of attention.
Key similarities:
Both tests try to estimate the minimum overhead of each framework. The goal of the framework is to bring “Hello World” and nothing more.
Key differences:
I used the default configuration of each framework. The Yii team tried to optimize each framework to display Hello World as quickly as possible.
The test from Yii only performs die (). Mine uses MVC: the controller sets the variable to “Hello World”, then it is passed to the view for output on the main HTML page.
Yii used a dedicated server for tests, and I used shared hosting, where I am going to host my real application.
So the Yii team tests are more technically honest, but mine better reflects real-world behavior.
As always, all tests should be taken critically.
Results are expressed in Requests Per Second (RPS), so higher values are better.
Test Details:
This page on the Yii website describes their test. In my test, each framework contained the following code in the view:
Where is the $ message variableprovided by the controller, and its value is “Hello World”. The number of requests per second was determined using the ApacheBench utility with the following parameters: "ab -t 30 -c 10 URL". My test environment is shared hosting with the following parameters:
* CentOS 4 Enterprise Linux.
* Apache 2
* PHP 5.2.6
* CPU: Quad-Core AMD Opteron (tm) Processor 2350
* Memory: 8GB
Conclusions: Yii and CI both stood out in terms of speed. Perhaps Yii has some advantage, but it’s hard to say for sure.
-
Flexibility
CakePHP
CakePHP is very tied to conventions. He expects from you a specific naming of files, classes, databases, methods, etc. I can’t say for now whether this will be a problem for me, but this can happen.
CodeIgniter and Yii
CodeIgniter and Yii both look quite flexible. Looking at the documentation, it will be problematic to say that one is definitely more flexible than the other.
Both use the MVC pattern, but do not seem very strict in this regard. CakePHP is much more dependent on conventions than Yii and CI.
Some examples of similarities and differences:
* Each of the frameworks expects you to follow the controller naming conventions.
* CakePHP requires creating a model, database, and table, even if they are not used in your program.
* Cake itself invokes the view automatically, based on the name of the controller. In CI and Yii, you invoke the view explicitly, so Cake's conventions more prevail over the configuration. In turn, in CI and Yii, you can call multiple views.
Here is a sample code:
As you can see, the versions for CI and Yii do not seem more complicated than for CakePHP, in addition, they have an additional feature - you can upload more than one view file. For example, you can load a special header, insert a widget, etc.
Result: CodeIgniter and Yii both look more flexible. At the moment, I can’t determine which one is more flexible.
-
Security
Security is a complex topic as there are a large number of different types of attacks. This paragraph is quite voluminous, but I will try to stick to the topic. The paragraph is divided into parts according to the capabilities of the frameworks and types of attacks.
Access Control
Preliminary information here - Authentication and Authorization .
CakePHP
I found that the access control system in CakePHP is hard to understand. A code generator (“cake bake”) is used to generate schema files and access control lists (ACLs ) - this process looks complicated. Some terms (ACOs, AROs, Requester) finished me off completely.
I expected access control to be tricky, but in Cake it turned out to be a lot more complicated than I expected. It looks quite powerful, but hard to use. I felt that I was not in control of the process and did not understand what was happening. And security is exactly what I would like to have control over and that I would like to understand well.
Quick test : I did not notice an obvious way how to strengthen password strength . The tutorial says that if you will hash passwords yourself, the application will not work.
CodeIgniter
As far as I can tell, CI does not provide access control facilities. Access control can be quite a difficult task (groups, roles, etc.) and it would be nice if the framework helped in this.
Yii
I understood the access control system in Yii much faster . I would not say that it is simple, but this is because access control itself is not easy. I would say that in Yii, the access control system is as simple as possible - but nothing more. After I read the documentation, it seemed to me that I understand the process and that I am able to change it to my needs.
Quick test : I could immediately find how to increase password strength .
Some Yii features that I like
* Flexibility: you may have access rules based on the user's IP address or request type (GET vs POST), or rules for anonymous and authorized users.
* Return URL:you follow the link, but the session is already out of date. You are redirected to the login page. You log in and the system automatically returns you to the page you were trying to get to. As for me, this is very convenient.
* Role Based Access Control : RBAC is more flexible and powerful than traditional ACLs . With the Yii framework, you can write your application without paying attention to RBAC, and use it only in cases where you need to solve a specific problem. So, the system is as flexible as it should be, but your access rules are no more complicated than what is required.
Dictionary attacks ( Dictionary attacks )
A dictionary attack consists of attempts to guess a password using a list of the most used words - a dictionary. In the case of web applications, such an attack can be very effective. The recent attack on Twitter was a dictionary attack.
There are many methods for terminating a dictionary attack: account lockout after X failed authorization attempts, time delays, CAPTCHAs. Each of them has its advantages and disadvantages. Account lockout is easy and effective, but provides an opportunity to attack denial of service: someone can make many authorization attempts, but not in order to gain access, but in order to block other users. Here is one of the methods that I like: after 5 unsuccessful attempts, you must solve the captcha in order to get additional attempts. This allows you to control dictionary attacks, DoS, and user friendliness.
None of the frameworks have tools related to dictionary attacks or denial of service problems, but I did not expect this. The real question is, can you configure the authorization method in this framework exactly the way you need it ? This is a matter of control and flexibility. In CI and Yii, I'm sure I can do this. However, I'm not so sure about this with CakePHP.
Crossite Scripting (Cross-site scripting attacks, XSS )
XSS is ahead of the buffer overflow in the ranking of the most common security issues. It works like this: Someone posts a comment on your blog and this post includes malicious JavaScript code. When you browse the blog, the code executes. Since the code is taken from your domain, it is considered a “safe” browser. This code can read your cookies, or modify the contents of the page (for example, "Session expired. Please enter your password.").
CodeIgniter and Yii come with HTML filters that can remove JavaScript code from user input. Unfortunately, CakePHP does not have such filters.
The introduction of SQL-code ( the SQL injection attacks )
SQL injection is one of the most common attacks and security flaws in web applications (comics). This occurs when the text entered by the user is interpreted as executable SQL code. For example:
Suppose the user enters the password foo 'OR 1 =' 1 . Then the query will be like this:
Since 1 = '1' is always true, the query will return a list of all users. The most common (and incorrect) solution is to escape strings with functions like addslashes () or mysql_real_escape_string () :
What is wrong with this solution?
* It is error prone, as you must remember to do this for each parameter.
* It also depends on the fact that someone can find all the possible characters that can be used for hacking. Good guys find all the holes, bad guys just find one. This is a game for losers.
Chris Shiflett shows how to inject SQL bypassing addslashes using a Chinese character. How can we know that there is no Tamil character that will allow to bypass mysql_real_escape_string ?
The right decision: prepared statements
The right solution would be to solve the problem as a whole by compiling the SQL query separately from user input, that is, using prepared expressions (in other words, parameterized queries). Prepared expressions separate the SQL query logic from user data (see here and here ).
Does the framework support prepared expressions?
Unfortunately, only one of the three frameworks - Yii - provides such an opportunity . I think the lack of prepared expressions is the most serious problem of CakePHP and CodeIgniter.
Cross-site request forgery ( Cross-site request forgery attacks, the CSRF )
Cross-site request forgery (CSRF) is used in a sense in addition to cross-site scripting (XSS) attacks. XSS abuses client trust to the server, CSRF abuses server trust to the client. Imagine that Bob is visiting a malicious site containing the following image tag:
If Bob is currently logged in to his bank page, the bank server will receive a request from Bob to transfer $ 10,000 to Eva's account.
What can be done to protect against CSRF? In addition to reducing the lifetime of cookies, the main solution is to use a secret value to authenticate any GET and POST parameters that can modify data on the server.
CakePHP and CodeIgniter do not seem to have the means to combat CSRF. Yii offers CSRF protection for POST requests by using secret tokens (you must enable this feature). To fully protect against CSRF, you must be sure that GET requests cannot modify data on the server.
Stealing cookies ( Cookie hijacking the attacks )
Cookies are commonly used to store enough significant information such as session IDs, usernames, password hashes. Theft of cookies is when a third party accesses your cookies. This can be done using XSS or a packet sniffer.
How to protect yourself from cookie theft? SSLprotects you from sniffers, and you must take measures to prevent XSS attacks. You can make cookies less significant by refusing to store significant information in them for a long time. For example, instead of storing md5 (passwd), use hashes that expire - HMAC (date, md5 (passwd)).
As far as I know, CakePHP and CI do not have any protective mechanisms against cookie theft. Yii has the ability to verify cookies, which uses the HMAC to authenticate the data contained. The attacker will not be able to change the data of the expired cookies (for example, the expiration date) without being noticed.
Of course, all this will not help you if you make stupid mistakes - storing the password in the clear in cookies, for example.
Winner : Yii
Yii has a significant security advantage, with better access control and XSS protection, SQL injection, cross-site request forgery, and cookie theft.
CakePHP and CodeIgniter are a little disappointing in this regard. Since CI is more flexible, it will be easier to add the required security features yourself.
-
Other comments
There are some things that I consider necessary to mention, although they do not fall under the criteria of this test.
Prototype
CakePHP uses the Prototype library . I was dealing with Prototype. Basically, it will pollute the global namespace and may break already running JavaScript code. Thus, Prototype does not behave well with your code or other libraries.
Scheduled Releases
Yii has upcoming releases . I would like all open source projects to have this.
Input Filtering
CodeIgniter has an excellent Input classwhich performs data cleaning. It destroys the GET array and all global variables except POST and COOKIE. This feature doesn’t quite fit into my criteria, but contributes to better code, and therefore is worthy of mention. I mentioned XSS filtering in the previous section.
-
Summary
My opinion - CakePHP is undoubtedly worse than CI and Yii. The documentation is generally good, but no better than CI and Yii. I do not see any area in which Cake looks distinctly better than CI or Yii. It might be better for simple applications that do everything exactly as Cake expects. But in general, Cake is more complex than CI or Yii, and it seems like it's not worth it.
Yii and CodeIgniter are very close. They are nearly equal in performance, documentation, and flexibility — both are fast, well-documented, and flexible enough. CodeIgniter is somewhat simpler, but Yii has a security advantage. I will wait until I write prototypes of applications on each of them in order to form a final opinion.
I usually don't like comparison tables, as they simplify things too much. But I understand that people often want to see a short summary table, so I’ll provide an approximate sketch:
[1] Take it critically. It’s hard to judge the documentation before you start writing the program.
[2] CodeIgniter earns a point for XSS filtering and overall flexibility.
Original article and copyrights - Daniel Carrera, “Comparison of PHP frameworks - Part I”