Development Wiki


From phpBB Development Wiki

Revision as of 20:27, 4 May 2012 by Socially uncensored (Talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)


  • Scalability (especially running across board on multiple servers)
  • Easy integration (wrapping) into third party software (e.g. CMS)
  • High quality code
  • No need for code changes in MODs/Extensions anymore
  • Building on existing code rather than reinventing the wheel


  • Modular OOP Code with properly decoupled classes
  • Consistent use of Dependency Injection (potentially making use of the PHP 5.3 Symfony DI Container)
  • Always programming against Interfaces, never against actual implementations
  • Extensive automated testing: Unit tests, integration tests and functional (UI) testing with PHPUnit, Selenium
  • Autoloading & Dependency/Package Managment with Composer
  • Making use of libraries such as symfony, Doctrine, ...
  • A phpBB development framework (build applications based on phpBB, standardize our framework into a library, as mentioned earlier)


phpBB4 should follow the new PHP 5.4 standards which are currently being developed for PHP frameworks. This mostly concerns naming conventions for consistent autoloaders.

PHP Standards Working Group PSR-0 Final Proposal

Adapting this standard will mean some significant changes to the phpBB Coding Guidelines.

PHP Extensions

  • SPL is always available in PHP 5.3+ so we can make use of all its features. The C implementations of some of its features can be faster than implementing the same thing in plain PHP.


phpBB3 escapes all input for html output, all database contents are in an escaped state too. This makes it less likely for inexperienced programmers to accidentally construct an XSS vector by printing out a variable. However it can also mean that in order to process a string you first have to undo the escaping, this can be confusing.

phpBB4 could either continue the phpBB3 approach or use some output mechanism that escapes all variables by default unless otherwise instructed and do no input escaping instead. Since separate escaping for writing to the database is needed this might make things more transparent, too.