Yii is an open source framework for web applications built with the PHP scripting language. It was first released late in 2008 to a world bustling with frameworks vying for market share. Although it entered the game somewhat late, this turned out to be an advantage as its creator, Qiang Xue, was able to include some of the best features of existing products in Yii. Also, the lessons he learned as a developer for the Prado framework helped him to build a superior solution. Today, Yii is widely heralded as one of the top PHP web frameworks. You can read more about it at http://www.yiiframework.com.

As opposed to the Content Management Systems (CMS), it is not a complete skeleton of your website, which is configurable by some sort of graphical user interface. You have probably heard the names Joomla! and Drupal, which are particularly famous CMS examples in the PHP world.

On the contrary, Yii is called a framework because it has a set of built-in components. You, as a web application developer, can and definitely should freely use these to save your development time.

So, whether you just need a quick database app, some web services, or you have been tasked with building a whole corporate web portal, Yii will lay the groundwork and set you on the right path.

Probably the most important parts of Yii are the complete database access layer and the highly intricate page rendering system. It comes with pre-built smart UI controls like the data grids or something simpler like datepickers, ready to be used on web pages. Also, for many routine coding tasks there are a set of automatic code generators. All of this will be explained in further sections.

The Yii website also contains a huge number of user-contributed extensions to help you add functionality quickly. Applications built with the Yii clean organization style turn out highly extensible and easy to maintain.

Yii enforces a tried and true architecture for your application, known as Model View Controller (MVC). This structure utilizes object-oriented principles to make clean separations in code organization.

Controllers receive requests, instantiate and manipulate the models that do the real work, and finally render the views for interaction with the end user. This will be discussed in later sections to a greater depth; however, it'll be important to know that unlike in the original MVC definition, views in Yii are completely passive, being just the page templates and not the full-fledged classes.

Yii's speed is unmatched thanks to some intelligent design choices at the core level. Most frameworks lose performance when they load more functionality than required for a given request. Loading too many classes can mean more disk reads, as each class is generally stored in its own file, or at least more processing if scripts are cached. More classes generally also result in additional database transactions, and all of these operations are both time and resource consuming.

Yii sticks to a philosophy of lazy-loading, where it strives not to load classes until they are actually needed. The core framework also adds no additional tables to your database, and makes only the minimum number of requests required to fetch the data for a given action. When your app is ready for production, there are a number of caching options to take performance to the next level. To reduce file I/O, Yii has built-in components that encapsulate common data caching solutions such as APC, Memcached, XCache, and EAccelerator. It also has a few components to handle caching of computed application data for an appropriate amount of time, such as the result of a complex database query.

Nowadays, when a website allows users to post content, it runs the risk that some of that content might actually be malicious code. Probably the most frequent are SQL Injection, Cross-Site Scripting (XSS), and Cross-site Request Forgery (CSRF) attacks. Of course, you can look up these terms in Wikipedia, but you can also look up the detailed review of all these types of attacks in the Web Application Hacker's Handbook, by Stuttard Pinto, printed by Wiley in 2011. These are the common problems that website developers must address when accepting form data. Yii has built-in means to cope with them. All database interactions made properly by the Yii API sanitize user input automatically.

For dealing with user-generated content that will be rendered on the web pages, Yii encapsulates a project called HTML Purifier, which can be applied to any input field and will filter out any malicious code, unless specified on a white list. The homepage of the project is http://htmlpurifier.org/, and it is included in the component.

For automatic protection from CSRF attacks of all your forms altogether, there is a single switch-in configuration. It will pass a random value to a user when they load a form. By having this value passed back, the interaction is validated.

All these features will be explained later in the Top features section.