PHP - Frameworks, ORM, Encapsulation

Programming languages/environments aside, are there many developers who are using a framework in PHP, ORM and still abide by encapsulation for the DAL/BLL? I'm ma开发者_运维技巧naging a team of a few developers and am finding that most of the frameworks require me to do daily code inspection because my developers are using the built in ORM.

Right now, I've been using a tool to generate the classes and CRUD myself, with an area for them to write additional queries/functions. What's been happening though, is they are creating vulnerabilities by not doing proper checks on data permission, or allowing the key fields to be manipulated in the form.

Any suggestions, other than get a new team and a new language (I've seen Python/Ruby frameworks have the same issues).

Throwing away a team is never an option: improve it instead!

• Arrange security workshops to make them more aware of these issues.
• Introduce (or even better: ask them to introduce) code guide lines for better handling these problems (a security-aware hungarian notation or usage of prepared statements are two examples)
• Address the short-comings in code reviews - don't blame them for ignoring security, just show the problematic snippets you found and explain that security is very important to [choose one: this project/the customer/your company's reputation/you personally]
• Let them do security audits on their own or their peer's code. Let them find out how easy it is to exploit such security flaws.
• Find other tools/frameworks that better support your security model. But be warned: this option is very expensive! Your programmers will need to maintain code in the old framework and learn a new one (worst case: they will need to learn a new language along with the new framework)

But basically this is an issue that you have to solve collaboratively with your developers. If you declare war on them, you're bound to lose (regardless of the outcome for the developers.)

To me it sounds like you want to improve coding culture. Have a look at the Rules of Extreme Programming. Maybe you can adopt a few techniques.

Basically, I get the impression there is very little communication right now between the developers and you. I might be just reading that into it, but to me it sounds like the devs are locked in the cellar and you are sitting somewhere else and getting frustrated about them. Change that kind of thinking. You are part of the team.

If your developers are not aware of the vulnerabilities they introduce into the code, consider having weekly code reviews. Let the developers talk about the code they wrote. Let them learn from each other. Make the code collectively owned. Foster learning and constructive criticism.

Remember, there is no I in Team.

May I recommend Nepthali? It's not an ORM, but the framework is designed to force security. I.E. all variables are encoded before output to the screen; unless explicitely defined not too.

It's also fairly lean, having no ORM, etc. so you can plug whichever ORM into it you want. It's pretty nice, actually.

If you want to check if the user has access to property it is another layer other than data access layer. But still there are frameworks where you can override default load functionality and insert your logics after/before loading.

The lightest framework I ve ever worked is db.php (http://dbphp.net, https://github.com/hazardland/db.php). But it is code first object rational mapper. You ll have to define classes than databases\tables will be created according to your classes.

Take a look at \db\table::load method. Every class has its own handler instance of \db\table located in database::tables array. You can override table::load or create individual handlers for tables derived from \db\table class and place them in database::tables.

The only problem is that framework is not fully documented but has very light intuitive code structure and samples.

Another option is to make dal framework by yourself it will take up to 3-4 months for 1 person to make it full functional and powerfull.