I think we already have quite a nice toolchain for REST in Symfony2 with Bundles like FOSRestBundle, JMSSerializerBundle, NelmioApiDocBundle, FSCHateoasBundle and HautelookTemplatedUriBundle. What is great about these Bundles is that they are all nicely integrated with each other. But there are still some limitations which should be addressed.

Some of the still outstanding issues he points out include issues with content-type and routing, dynamic content in the NelmioApi bundle, Behat context testing, JSONP support and more. He suggests gathering together a product backlog of these items and possibly making a kickstarter to fund its development.

For those that have used both frameworks, what one do you feel is a better overall framework? I tried ZF2 in beta and it seemed overly complicated to symfony but I don't know if its gotten better since then.

Opinions shared in the comments of the post include things like:

• "So if you are learning for job prospects, go Zend. I love Symfony 2 though, its a joy to work with."
• "It doesn't matter. Each has a strength and a weakness, and neither will go away. Pick one and use it, you'll be fine."
• "I don't think there is such thing as a best framework as you should use the best tool for the job. I don't think MVC is the solution to all problems."
• "Both are quite bloated but they have to be considering their target markets."

On the whole, the views are of the "best tool for the job" mentality - a good sign for the community and these two frameworks.

Both ZF2 and Symfony 2 offer the same behavior: if I'm in a controller, and I want to use a service, I have to get it from the container with $this->get('my_service'). As such, the controller is not using DI, this is the service locator pattern. Controllers become more difficult to tests because of that, and they depend on the container now. I wonder why both frameworks didn't go further: why not treat controllers like services and use dependency injection on them. In other words: if a controller needs a service "A", then it should get it in the constructor, or through setter/property injection.

The comments talk some about the "controller from the DI container" idea, some other ways around the problem and some clarification as to what the frameworks are actually doing related to the container injection.

Symfony 1.x I would put into a category of frameworks focused on RAD, aka rapid application development. [...] So for those people who were happy focusing on the 80% use case Symfony2 is a step back. Suddenly the same features take longer to implement, take longer to modify later on and on top of that the learning curve is steeper.

He suggests that work be put into "RAD layers" that can sit on top of Symfony2 and provide some of the more familiar features people are used to from things like CakePHP, Yii and CodeIgniter. There's been a few tries to accomplish this with only one getting the closest in his opinion - the KnpBundle.

About a month ago, I merged a complete refactoring of the sub-requests management of Symfony. In fact, I created a whole new sub-framework to handle the rendering of resource fragments via different strategies. [...] Besides classical master requests, the HttpKernel component is now able to handle sub-requests. Let's me sum up the different strategies that are available: internal sub-requests, ESIs, HIncludes, and SSIs (in 2.3).

He talks some about each strategy and what situations they're best suited for and some sample code that shows the use of the "standalone" and "strategy" parameters. There's also new methods you can call (like "render_esi" or "render_hinclude") to work with the new features as well.

If we are working within a Symfony2 application or a PHP application that uses the Symfony's Dependency injection container component you can easily integrate this simple script in the service container. I will show you the way that I use to do it.

His sample code uses the Guzzle HTTP library and some configuration options from a YAML file to create a new service hooked into the Twitter API with his credentials. He then imports it via his services configuration and shows an example of it in action - getting the latest contents of his timeline.

It happens more and more: large projects where your symfony2 site is just a small part in the big picture. Lots of additional components might even play a bigger part, especially when you are dealing with asynchronous components which are connected through message queues for instance. [...] Our first idea is obvious: symfony2 uses by default a parameters.yml file, which gets imported by your configuration (config.yml) [...] So nothing new here and this setup works perfectly, provided that your symfony2 project is the ONLY thing that needs to be configured. As soon as you add multiple other components (like gearman or activemq workers that need to connect to solr too), they need to share this configuration.

His solution involves falling back to the INI-file format that's known as useful for several different languages and tools. Because of how Symfony2 reads these files though (only looking for "parameters") he's had to create a "ConfFileLoader" instance of the "FileLoader" that uses the parse_ini_file method to parse the data and return it back to the main container as parameters. He also includes the code/config you'll need to implement this custom loader into your application.

Code execution vulnerabilities are, by definition, hideous monsters. The ability for external inputs to enter an execution context (i.e. injecting or manipulating code that is executed on the server) can be difficult to spot through the haze of convenience that such machinations are often designed to deliver. In Rail's case, that convenience was to automatically cast data entries in XML or YAML inputs into Ruby types including, unfortunately, Symbols and Objects.

These types of "buried" code execution vulnerabilities are still easy to locate in PHP, at least, because you are still restricted to normal code execution pathways in the absence of Ruby's dark magic, e.g. eval(), include(), require_once(), system() and, let's not forget, unserialize().

He talks about how, if you're not careful with the code (third party libraries) that you use in your applications - or don't adhere to good security practices in your own - you could be vulnerable to a similar style of attack. After some investigation on his part, he discovered an issue related to this in the Symfony2 YAML parser (now fixed with a new release).

To summarise… Pay attention to competing applications or frameworks - their problems may also be your problems. If you're worried about arbitrary code execution vulnerabilities then audit your code. You can even, as a sanity check, use grep to find uses of functions like eval(), unserialize(), etc and analyse where their parameters' might originate from.

OK. We can handle PDOs connections inside a Symfony2 application, but what happens if we prefer DBAL. As we know DBAL is built over PDO and adds a set of "extra" features to our database connection. It's something like PDO with steroids.

He includes the (PHP) configuration to set up the DBAL and the YAML definition to set it up in the DIC's configuration. As an update to the post, he also points out a bundle for Symfony2 that lets Doctrine do this natively - check out this documentation on github.

I'm not a big fan of ORMs, especially in PHP world when all dies at the end of each request. Plain SQL is easy to understand and very powerful. Anyway in PHP we have Doctrine. Doctrine is a amazing project, probably (with permission of Symfony2) the most advanced PHP project, but I normally prefer to work with SQL instead of Doctrine. [...] Due to my daily work I need to connect to different databases (not only one) in my applications.

He shows the normal setup using the "parameters.yml" file to define the multiple database connections but notes that this isn't the most ideal solution. Instead, he walks you through the steps to create the "databases.yml" configuration file and a simple "Db" class that acts as an interface to pull the PDO objects from the container. You can then just call the "get" method on the container to extract the fully configured PDO object, ready for use.