Ashley Sheridan​.co.uk

Why CodeIgniter Is Not Recommended Over Other PHP Frameworks

I recently saw an article recommending the use of the CodeIgniter framework. While the article is mostly accurate (with some glaring exceptions) the problem is that the advice is so out of date, it's essentially useless. PHP has a bad reputation in the web development world as being a terrible language. I admit, its greatest strenght is also its biggest weakness: it allows anyone to easily create something that just works. Often, this means that it just about works, and is full of more holes than Swiss cheese. So when I see an article that's offering bad advice (such as recommending something dangerious like an extremely out-of-date framework), then I feel compelled to correct it, especially when said article is written in 2017!

So why do I disagree with the article? Mainly, that it just doesn't seem to grasp the great flaws that CodeIgniter has. Now, don't get me wrong, I've used CodeIgniter a lot throughout my career, and it was a great MVC framework in its day, but that day is long past. There are plenty of better frameworks out there in the forms of Laravel, Symfony, or even Slim if you want something that retains some of the lightweight feel of CI.

So what points did I think the article got so wrong? Well, aside from a lot of the article consisting of generic fluff that could be used as an argument for any nearly framework, the main points were as follows:

  1. Faster Execution Time Completes Web Development Job Quickly

    Fast execution time is something that is appealing and should be sought after with any framework you choose. But it shouldn't be the only factor. Not using any framework at all and building the site as a bunch of simple PHP files strung together may well be the very fastest (short of going down the compiled route) for response times, but it doesn't lend itself well to maintenance, security, or any of a bunch of other factors that are crucial for development.

    The author goes on to say No other PHP framework can match the execution speed of CodeIgniter which is patently not true. Phalcon, Slim, and Kohana all outperform CI in terms of response times. Even Laravel (considered a bloated by some) is not far behind in the performance stakes.

    Performance benchmark graph of 14 popular PHP frameworks

  2. Great Security Functions

    CodeIgniter is not what most people would consider a secure framework. Mostly that is in part due to its age. It's an old framework, and doesn't make use of newer functionality that exists within PHP. Because of that, it's had to write a lot of its security stuff itself. Now given something built into the core of a language or a regular expression sanitiser written as a function inside a framework, I'm going to choose the former. When those "security functions" are not regular expression string sanitisers, they're typically just wrappers to core PHP functions that are available on any PHP framework. CodeIgniter doesn't have any kind of monopoly on their use.

    A couple of areas of particular note:

    • Form validation is mostly handled by regular expression checking. This has the side effect of not being robust, and letting in things that it shouldn't, while rejecting things it should allow.
    • Database queries are not secure if you don't make sure you use the variable binding. Now, while that's true of any database query class, CodeIgniter uses the same query() method for bound and unbound queries. For a developer just starting with PHP, it's all too easy to never bind any variables and introduce an SQL injection attack.
    • Views don't have any kind of templating language which would protect against bad output. Their own documentation actively instructs developers to use echo statements in the view templates. This is not necessarily always a bad thing, unless you're a new developer that doesn't realise that not everything is safe to just print out inside a view. The XSS protection built into CI does a paltry job at protecting from actual real injection attempts, so it's all too easy to fall into a false sense of security if you don't realise the pitfall exists.
  3. Easy Handling Of Errors

    This is probably the worst "point" in favour of CI, just for the very fact is that it shows that CodeIgniter hides too much by default. As a developer you shouldn't write code with the errors suppressed by some means on your dev environment, ever. At best you're just hiding warnings (which also shouldn't exist in code that's ever going to be on a production website), but at worst you're potentially hiding serious errors. It's fairly bad practice to let your framework be responsible for turning errors on and off, that sort of thing should really be handled by the server. This sort of behaviour leads to the creation of CMSs like Expression Engine which cannot function correctly with error display turned on because it's so full of warnings out of the box.

The rest of the arguments from that article are valid for any other framework you choose. Of course, each has it's own particular strengths and weaknesses, but they all offer sensible file hierarchies, are easily configurable, have community support, etc. None of those arguments are more valid for CodeIgniter (unless you're still developing in 2007.)

If you're new to PHP development, then CodeIgniter is not the route you should head down. The framework is too old, and doesn't even support most of what was added in PHP 5.6, let alone any of the PHP 7 offerings. It's struggling to be relevent in a world where the core language is evolving at its most rapid pace since its inception. It stagnated for over a year as its creators sought out new owners, and although those new owners have been busy, they're playing catch-up with the other major players. I personally feel its had its day, and it's unlikely it will ever reach the status it once had, but for now, it's definitely not recommended for any kind of development, save for an historical window into how PHP development was a decade ago.

<