> However your then hoping that there are not any vulnerabilities within the framework.
The likelihood of me introducing an injection, authentication/authorization bypass or RCE vulnerability in homegrown stuff is orders of magnitude larger than in an application where at least the sensitive core parts are handled by something that's battle tested in millions of deployments and regularly audited.
If the framework is promoted to be enhanced by a ecosystem of plugins, widgets, your still introducing the same exploitable ground as of developing your own. If not more dangerous because your operating already on core infrastructure and with a wider audience. How often does the developer get bored and start to neglect the plugin?
I do agree that a single home-hobbyist programmer should not be coding a bank and that sql injections and the rest are all lethal to the internet. However you end up with stagnation and lack of innovation if you pressure users to use a framework because there's a fear of some sort of exploit.
It's like riding a bike and forcing the rider not to ride without stabilisers because they may fall sideways.
>How often does the developer get bored and start to neglect the plugin?
For the most popular frameworks (e.g. Drupal, Symfony, PHPunit), the core ecosystem is (co-)maintained by the framework authors, who are funded through various means - usually consulting/webdev agencies. The "usual" FOSS burnout problem doesn't apply for them.
> However you end up with stagnation and lack of innovation if you pressure users to use a framework because there's a fear of some sort of exploit.
A framework is just that: a framework. You can develop all you want with that framework - I've seen Symfony being used for tiny microservices to the code for a bank's website. You can develop faster and better code because you don't have to re-invent wheels or do tedious interoperability tests for basic stuff allll the time, and whatever problem you encounter, someone else will have also encountered and posted a solution on Stackoverflow.
> It's like riding a bike and forcing the rider not to ride without stabilisers because they may fall sideways.
No. Symfony, Laravel and others are the vendors for the basic bike... you can always bolt on custom parts according to your need and for the PSR-standardized stuff like loggers, you can even choose between multiple different part vendors.
You have valid points, I disagree on personal preference and so I'll agree to disagree.
I guess what i'm saying is building from scratch makes different happen. I can see the purpose of frameworks but when it comes to a new start-up project, it just feels like it should be built from scratch otherwise you have a project which is pre-made and not really yours. Thats what puts me off from using a framework.
Myself was script-kiddie in the older-generation of the internet era, 15/16. I'm talking 2003. when extensions have .php3 and uploading scripts over 56k took hours. If you wanted a forum, same for a CMS either use a pre-existing platform and used the functionality it provided or built it yourself. PHPNuke, e107, PHPBB all come to mind. However the internet was young, compared to now where technology has evolved and time is less, so I can see where frameworks come in.
The likelihood of me introducing an injection, authentication/authorization bypass or RCE vulnerability in homegrown stuff is orders of magnitude larger than in an application where at least the sensitive core parts are handled by something that's battle tested in millions of deployments and regularly audited.