In this new post to the PHP::Impact blog, Federico takes a look at the architecture behind one of the PHP community's most popular frameworks - the Zend Framework.

Before we begin our exploration of the architecture of the Zend Framework (ZF), it is important to discuss how a typical MVC application is built. Examining and understanding the architecture of an MVC Web application allows you to make more contextually sound choices when building your application.

He starts with a look at a three-tier architecture (presentation, application, data) and compares that to the MVC used in the Zend Framework. He talks about how ZF is a hybrid component and infrastructure framework and the coupling that it provides between its components. He also has a few criticisms namely some performance issues from this style and the lack of a module to handle model/controller dependencies.

Andrew van der Stock has written a strong criticism of PHP's insecurity. Andrew is a seasoned security expert and a major contributor to OWASP, and he states:

"After writing PHP forum software for three years now, I've come to the conclusion that it is basically impossible for normal programmers to write secure PHP code. It takes far too much effort."

He continues, citing specific areas where he thinks PHP is weak and asserting that "PHP must now mature and take on a proper security architecture."

Chris also mentions that some of the reasons Andrew mentions include register_globals, magic_quotes_gpc, and safe_mode - all due to be removed in the latest PHP version (6). Also, be sure to check out the comments on the post for a good bit more information and discussion...