Hi,
my name is Juergen, I am an experienced web developer and got interested in Yii after getting up to date on new frameworks. I have experience and made projects with Code Ignitor, PRADO, Zend Framework, Wordpress, etc. Plus I maintain my very own simple PHP framework for some of my own sites.
Just recently I finished a very huge project with the Zend Framework and - since I managed a team of 10 developers - it really helped to be disciplined and work on a well structured "frame". However, the speed of ZF is lousy. After this was done, I developed one of my own sites for a change in pure PHP and get fantastic speed out of it, but its not very extensible and has already too many hacks, which only I understand. My next project is coming up and there might be more programmer added later, so I might want to use YII for it.
Anyway, I have a very simple question: Why does the default installation put stuff into the web root, which doesn’t really get served by the httpd server? It seems to be common these days, the totally insecure Wordpress installation dumps basically everything inside the web root (htdocs usually), then “protects” it with a .htaccess file.
My usual strategy is to place files similar like this:
/WEB/htdocs/index.php <- The front controller
/css/ <- Static CSS files
/js/ <- Static JavaScript files
/images/ <- Static image files
/whatever-needs-to-be-served-by-httpd/ <- Static whatever files
/WEB/framework/ <- The framework or libraries totally separated
/WEB/application/ <- All application files
I understand that its more easy for users who have a shared web hosting to just dump everything into the web root, but (I run my own servers) I understand that even if you work with shared hosts, you have something similar to my "WEB" directory and a sub "htdocs" directory, so you still can created sub-dirs under WEB, which are not part of the "htdocs" web root.
The reason for this layout is simple: security. What is NOT placed in the web root can usually not be served (except you make the decision to serve it). Wordpress and other packages do something (ahem) questionable, they often define something like "APP_ROOT" in the front controller and add to every file residing in the web root a line like this:
if (!defined(APP_ROOT)) die("no direct access allowed");
which works, but is hard to maintain and so very unnecessary.
The point of all this above is that I would love to see YII using a similar approach from the beginning, or at least a simple way to have configuration defaults which allow for putting everything which doesn’t necessarily get served by a httpd server out of the web root (the “protected” folder for example).
Thoughts? Comments? Looking forward to it!
Thanks, and keep up the great work so far, YII looks very promising.
Juergen