DEV Community: Benyamin Khalife

Why You Should Stop Using Laravel for Commercial Projects (The Hidden Risks)

Benyamin Khalife — Tue, 26 May 2026 13:57:50 +0000

Every framework has its honeymoon phase. For PHP developers, Laravel has been that reliable, feature-rich partner for years. It’s elegant, it has an amazing community, and it gets things done fast.

But fast development doesn't always mean a sustainable commercial product.

With the recent wave of supply chain attacks targeting popular Laravel ecosystem dependencies (like localization/lang packages and ignition RCEs), it’s time to take off the rose-colored glasses. Here is why choosing Laravel for your next enterprise or high-scale commercial project might be a massive technical debt in disguise.

1. The "Bloatware" Dilemma: Heavy, Slow, and Resource-Hungry

Laravel is undeniably bloated. Out of the box, it boots up a massive container, hundreds of classes, and an abstraction layer for almost everything.

The Cost: While this makes writing code easy, it consumes significant memory and CPU cycles per request compared to modern micro-frameworks or compiled languages like Go and Rust.

Commercial Impact: In a production environment, higher resource consumption directly translates to bloated cloud infrastructure bills. When scaling to millions of requests, Laravel requires expensive horizontal scaling setups far sooner than it should.

2. The Dependency Hell & Supply Chain Vulnerabilities

Laravel doesn't live in a vacuum; it heavily relies on Symfony components and a massive tree of third-party packages.

The Risk: You aren't just trusting Taylor Otwell; you are trusting hundreds of anonymous open-source maintainers. As we recently witnessed, hackers are actively exploiting this by poisoning the ecosystem (e.g., embedding backdoors in language and helper packages).

The Control Problem: Managing, auditing, and securing a giant vendor folder in Laravel is a logistical nightmare. One compromised sub-dependency can instantly introduce a Remote Code Execution (RCE) vulnerability into your commercial app.

3. The "Mass Popularity" Target

Being the king of PHP frameworks comes with a massive bullseye on your back.

The Target: Hackers love popular frameworks. Why waste time finding a zero-day vulnerability for a custom or niche framework when finding one exploit in Laravel or its core dependencies grants you access to hundreds of thousands of live websites?

Automated Exploitation: Shodan and automated botnets constantly scan the web for Laravel specific patterns (like exposed .env files or older Ignition pages). The moment an exploit is published, your site is targeted within minutes.

4. Architectural Magic That Breaks at Scale

Laravel relies heavily on "magic" methods, Facades, and Eloquent ORM. While great for rapid prototyping, this magic obfuscates what is actually happening under the hood.

As your data grows, Eloquent can easily introduce N+1 query problems and hidden memory leaks if not meticulously optimized.

Deeply nesting your business logic inside Laravel's heavily opinionated structure makes migrating or rewriting microservices incredibly difficult later on.

Conclusion: Is Laravel Dead?

No. It’s still fantastic for MVPs, SaaS internal tools, or small-to-medium business apps.

However, if you are building an enterprise-grade, high-performance, and security-critical commercial system, the heavy architectural footprint and the massive attack surface of its ecosystem should make you think twice. Sometimes, going lighter, stricter, and more compiled is the only way to scale safely.

What’s your take? Have you migrated away from Laravel for performance or security reasons? Let's discuss below!

Stop Scanners from Hammering Your PHP App — Without a Database or External Services

Benyamin Khalife — Sat, 16 May 2026 12:46:35 +0000

Every day, automated bots are scanning your website. Not just yours — everyone's. They probe for exposed .env files, old WordPress admin panels, SQL injection points, and known CVEs. Some of them send thousands of requests per minute, not because they're targeting you specifically, but because scanning the entire internet is cheap and easy.

This article is about what's actually happening out there, why it matters even for small projects, and how a lightweight PHP library can help you deal with it.

What Are These Scanners, Exactly?

Web scanners are automated programs that crawl the internet looking for security vulnerabilities. Some are legitimate security tools — like Shodan or Censys — that map the internet for research purposes. But many others are operated by attackers who are looking for:

Exposed configuration files — .env, web.config, .git/config
Unprotected admin panels — /wp-admin, /phpmyadmin, /adminer
Known vulnerable endpoints — like xmlrpc.php in WordPress or setup.php left behind after an install
SQL injection and XSS vectors — via query strings, POST bodies, and cookies
Path traversal attacks — trying ../../etc/passwd variations

The tools they use are well-known: sqlmap, nikto, nmap, dirbuster, gobuster, masscan, and many more. These aren't obscure hacking tools — they're freely available, widely documented, and actively maintained.

Even if your app has no actual vulnerabilities, these scanners generate noise, consume server resources, pollute your logs, and can slow down real users during a burst of requests.

Why Server-Level Solutions Aren't Always Enough

You might wonder: "Can't Nginx or Apache handle this?"

Sort of. You can write firewall rules, block known bad IPs, or configure rate limiting in your server config. But these approaches have limitations:

They require system-level access (not always available on shared hosting)
They need manual maintenance as attack patterns evolve
They can't easily inspect request payloads for things like SQL injection signatures
They don't integrate naturally with your application logic

A PHP-level firewall runs inside your application, which means it can inspect everything: headers, query strings, POST bodies, cookies, request paths, and user agents — and react accordingly.

Introducing xZeroProtect

xZeroProtect is a lightweight, file-based PHP 8 firewall with zero external dependencies. No Redis, no MySQL, no external services — everything is stored on disk.

Install it via Composer:

composer require webrium/xzeroprotect

The simplest possible integration — two lines at the top of your index.php:

<?php
require 'vendor/autoload.php';

use Webrium\XZeroProtect\XZeroProtect;

XZeroProtect::init()->run();

That's it. Default rules activate immediately.

What It Actually Does

1. Blocks Known Scanner User Agents

The library maintains a list of User-Agent signatures associated with scanning tools and attack frameworks: sqlmap, nikto, nessus, acunetix, masscan, dirbuster, gobuster, feroxbuster, wfuzz, ffuf, hydra, metasploit, and many others. Requests from these tools are blocked before they get anywhere near your application logic.

You can extend or trim this list:

$firewall->patterns->addAgent('custom-bad-bot');
$firewall->patterns->removeAgent('curl'); // if your API clients use curl legitimately

2. Blocks Sensitive Path Probes

Scanners routinely probe paths that don't exist in modern PHP apps — and shouldn't. xZeroProtect blocks requests targeting:

CMS admin panels: /wp-admin, /wp-login, /administrator
Config files: .env, .git, .htpasswd, web.config
Database tools: /phpmyadmin, /adminer, /dbadmin
Dangerous files: .sql, .bak, .backup, dump.sql
Web shells: shell.php, c99.php, r57.php
Path traversal: ../, ..%2f, %2e%2e

If you're running a fully-routed PHP app with no .php files in URLs, you can add that as a rule too:

$firewall->patterns->addPath('.php');

3. Scans Payloads for Attack Signatures

The payload scanner inspects GET parameters, POST body, raw input, and cookies using compiled regular expressions. It detects:

SQL injection variants: UNION SELECT, DROP TABLE, SLEEP(), BENCHMARK()
XSS: <script tags, inline event handlers, javascript: protocol
Path traversal: ../
PHP code injection: system(), exec(), eval(base64_decode(...))
LFI: /etc/passwd, /etc/shadow
Remote file inclusion
Command injection via shell metacharacters

4. Rate Limiting Without Redis

The rate limiter uses a sliding-window counter stored per-IP on disk. No Redis or Memcached required.

$firewall = XZeroProtect::init([
    'rate_limit' => [
        'max_requests' => 60,
        'per_seconds'  => 60,
    ],
]);

When a client exceeds the limit, they accumulate violations. After enough violations, they get temporarily banned. After enough bans, permanently.

5. Doesn't Block Legitimate Crawlers

This is important: Google, Bing, and other legitimate search engines should not get caught in your firewall. xZeroProtect handles this with double-DNS verification for major crawlers:

Resolve the visitor's IP to a hostname via reverse DNS
Confirm the hostname ends with the expected suffix (e.g. .googlebot.com)
Re-resolve that hostname back to an IP
Confirm the re-resolved IP matches the original

Anyone can fake a User-Agent string. DNS cannot be faked. This is the same verification method recommended by Google and Bing in their official documentation.

Learning Mode: Test Before You Block

Before switching to production, you can run in learning mode. All threats are detected and logged, but nothing is blocked. This lets you review what would have been caught and tune your configuration accordingly.

// During tuning
XZeroProtect::init(['mode' => 'learning'])->run();

// Once satisfied
XZeroProtect::init(['mode' => 'production'])->run();

This is genuinely useful. Running learning mode for a few days on a real server will show you the volume and variety of automated probes hitting your application — and help you avoid accidentally blocking legitimate traffic.

Apache Integration for Zero-PHP-Overhead Blocking

For permanently banned IPs, you can optionally write them into .htaccess so Apache rejects the connection before PHP even starts:

$firewall = XZeroProtect::init([
    'apache_blocking' => true,
    'htaccess_path'   => __DIR__ . '/.htaccess',
]);

This is particularly useful for confirmed attackers who you never want to reach your application layer again.

Custom Rules

If the built-in modules don't cover a specific case, you can register your own:

use Webrium\XZeroProtect\RuleResult;

$firewall->rules->add('no-php-extension', function ($request) {
    if (str_ends_with($request->path(), '.php')) {
        return RuleResult::block('PHP extension not valid on this server');
    }
    return RuleResult::pass();
});

Rules can block, log without blocking, or pass. They run in priority order and can be enabled, disabled, or removed at runtime.

What xZeroProtect Is Not

To be clear about expectations: this is not a commercial WAF. It won't stop a sophisticated, targeted attack from a determined adversary. It doesn't do deep packet inspection, it doesn't have a threat intelligence feed, and it doesn't update its rule set automatically.

What it does is significantly reduce the automated noise that hits most PHP applications — the opportunistic scanners, the script-kiddie tools, the mass-probing bots — with a setup that takes minutes and has no infrastructure dependencies.

For many projects, especially those on shared hosting or small VPS instances where you don't have the option to configure Nginx rate limiting or cloud WAF rules, this is a practical and useful layer of defense.

Getting Started

composer require webrium/xzeroprotect

Full documentation and source: github.com/webrium/xzeroprotect

Start in learning mode, review your logs, tune your configuration, then flip to production.

Have feedback or found an edge case? Issues and PRs are welcome on GitHub.

Building a Modular Ecosystem: How I’m Rethinking the CLI for My Personal

Benyamin Khalife — Fri, 15 May 2026 18:01:04 +0000

Every developer has that one project they pour their soul into. For me, it’s Webrium — my personal PHP framework. Recently, I’ve been focusing on its "brain" for command-line operations: the Webrium Console.

You can check out the progress here: https://github.com/webrium/console

The Vision: Beyond Simple Commands

While I’ve always admired how Laravel’s Artisan simplifies development, I wanted to build something that fits a specific architectural need I had: True Modularity.

The goal for the Webrium Console wasn't just to run migrations or seeders. I wanted a system where you can build a website normally, and then "export" or "modularize" specific parts of it as independent plugins or components.

Turning Features into Components

The most exciting part of this console library is how it handles site sections. Imagine you’ve built a robust Admin Panel or a Blog system. Instead of having them buried deep within your project’s monolith, Webrium Console allows you to treat them as portable components.
For example:

The Blog Component: It’s not just a set of files. It includes

everything—the management interface for the admin and the public-facing views for the client.
The Admin Portal: You can build it once and potentially plug it into different projects managed by the framework.

This "extract and reuse" approach is what I’m currently refining. It’s about being able to say: "I need a blog on this new site," and simply plugging in your pre-built, console-managed component.

I’d love to hear your thoughts on this:
Laravel is the industry standard for a reason, but sometimes we seek something different. What is the one thing that would make you look beyond established frameworks like Laravel and try something newer or custom-built for your projects?

Do you need a custom website or a specialized web solution?
Feel free to reach out! I’m available for new projects, or even just a free consultation to help you figure out the best tech stack for your needs.

Let’s connect:
Telegram: @benyaminir
Email: benkhalifedev@gmail.com

Generating Sitemaps is Easy

Benyamin Khalife — Thu, 14 May 2026 06:02:44 +0000

I've been building PHP projects for a while, and one of those annoying little tasks that keeps coming up is generating sitemaps. Not because it's technically hard — it's just tedious. You either roll your own XML string builder (and inevitably forget an edge case), or you pull in a heavy package that does ten things you don't need.
So I wrote a small library called webrium/sitemap to handle it cleanly. No bloat, just a focused tool that covers the real-world cases: images, videos, hreflang for multilingual sites, gzip, and automatic splitting for large sites.

Getting Started

composer require webrium/sitemap

That's it. PHP 8.1+ and the xmlwriter extension (which is almost always enabled by default).

The Basics

use Webrium\Sitemap\Sitemap;

$sitemap = new Sitemap('https://example.com');

$sitemap->addUrl('/',       changefreq: Sitemap::FREQ_DAILY,   priority: 1.0); // → https://example.com
$sitemap->addUrl('/about',  changefreq: Sitemap::FREQ_MONTHLY, priority: 0.8);
$sitemap->addUrl('/blog',   changefreq: Sitemap::FREQ_DAILY,   priority: 0.9);

echo $sitemap->generate();

One thing worth noting: passing '/' for the homepage correctly produces https://example.com — no trailing slash appended. Clean URLs matter, especially when Google is reading them.

Full URL Options

Each URL can carry a lastmod, changefreq, and priority. Named arguments make this readable even when you're using all of them:

use DateTime;

$sitemap->addUrl(
    path:       '/blog/my-first-post',
    lastmod:    new DateTime('2025-04-15'),
    changefreq: Sitemap::FREQ_WEEKLY,
    priority:   0.7
);

changefreq tells crawlers how often the content changes. Available values:

changefreq tells crawlers how often the content changes. Available values:

Constant	Value
`Sitemap::FREQ_ALWAYS`	always
`Sitemap::FREQ_HOURLY`	hourly
`Sitemap::FREQ_DAILY`	daily
`Sitemap::FREQ_WEEKLY`	weekly
`Sitemap::FREQ_MONTHLY`	monthly
`Sitemap::FREQ_YEARLY`	yearly
`Sitemap::FREQ_NEVER`	never

priority is a float between 0.0 and 1.0. Your homepage is typically 1.0, blog posts somewhere around 0.6–0.8. Search engines don't treat this as a hard rule, but it's still worth setting thoughtfully.

lastmod accepts any DateTimeInterface, so you can pass a DateTime, DateTimeImmutable, or Carbon instance from your models directly.

Adding URLs in Bulk

If you're pulling pages from a database, addUrls() is cleaner than looping manually:

$sitemap->addUrls([
    ['path' => '/services',  'priority' => 0.9],
    ['path' => '/portfolio', 'changefreq' => Sitemap::FREQ_MONTHLY],
    ['path' => '/contact',   'lastmod' => new DateTime('2025-01-10'), 'priority' => 0.5],
]);

Duplicate URLs are silently ignored — you don't need to deduplicate before passing.

Images

Google's image sitemap extension lets you associate images with pages, which can improve image search visibility:

$sitemap->addUrl(
    path:   '/portfolio/project-alpha',
    images: [
        [
            'loc'     => 'https://example.com/images/project-alpha-hero.jpg',
            'title'   => 'Project Alpha — hero shot',
            'caption' => 'The main dashboard view of Project Alpha.',
        ],
        [
            'loc'   => 'https://example.com/images/project-alpha-mobile.jpg',
            'title' => 'Project Alpha — mobile view',
        ],
    ]
);

loc is required. title and caption are optional but recommended.

Videos

Same idea for videos, with a few more required fields:

$sitemap->addUrl(
    path:   '/tutorials/getting-started',
    videos: [
        [
            'thumbnail_loc' => 'https://example.com/thumbs/getting-started.jpg',
            'title'         => 'Getting Started in 5 Minutes',
            'description'   => 'A quick walkthrough of the core features.',
            'duration'      => 320, // seconds
        ],
    ]
);

thumbnail_loc, title, and description are required. duration is optional.

Multilingual Sites (Hreflang)

If your site serves content in multiple languages, you can attach hreflang alternates to each URL:

$sitemap->addUrl(
    path:      '/about',
    hreflangs: [
        ['lang' => 'en',        'url' => 'https://example.com/en/about'],
        ['lang' => 'fa',        'url' => 'https://example.com/fa/about'],
        ['lang' => 'x-default', 'url' => 'https://example.com/about'],
    ]
);

The x-default entry tells Google which version to show when no language preference matches.

Saving to File

// Plain XML
$sitemap->saveToFile('/var/www/public/sitemap.xml');

// Gzip compressed — just add .gz to the filename
$sitemap->saveToFile('/var/www/public/sitemap.xml.gz');

Gzip is worth enabling in production. The file ends up 5–10x smaller, and most crawlers handle it fine.

Large Sites — Auto Splitting

The sitemap protocol caps files at 50,000 URLs and 50 MB. For bigger sites, splitAndSave() handles the splitting automatically and generates a sitemap index:

$sitemap = new Sitemap('https://example.com');

foreach ($allPages as $page) {
    $sitemap->addUrl($page->path, $page->updatedAt);
}

$indexXml = $sitemap->splitAndSave(
    directory:   '/var/www/public/sitemaps',
    baseFileUrl: 'https://example.com/sitemaps',
    prefix:      'sitemap',
    gzip:        true
);

file_put_contents('/var/www/public/sitemap-index.xml', $indexXml);

This produces sitemap-1.xml.gz, sitemap-2.xml.gz, and so on — plus a sitemap index file that points to all of them. Submit the index URL to Google Search Console and you're done.

Namespace Cleanliness

One small detail I care about: the library only adds XML namespaces that are actually used. If your sitemap has no images or videos, the output won't carry xmlns:image or xmlns:video. It's a minor thing, but it keeps the XML clean and honest.

Wrapping Up

Nothing revolutionary here — it's a sitemap generator. But it handles the real cases correctly and gets out of your way. If you've been copy-pasting sitemap XML by hand or using a bloated package, give it a try.

GitHub / Packagist: composer require webrium/sitemap

SQL And PHP: People whose birthday is today

Benyamin Khalife — Fri, 23 May 2025 12:58:06 +0000

How do we find a list of people whose birthday is today from a database and perform an operation on them?

To start, we add the Foxdb library:

composer require webrium\foxdb

In this way, write the default configuration for using the library and change it according to your project.

use Foxdb\DB;
use Foxdb\Config;
use Foxdb\DB;

DB::addConnection('main', [
    'host'=>'localhost',
    'port'=>'3306',

    'database'=>'test',
    'username'=>'root',
    'password'=>'1234',

    'charset'=>Config::UTF8,
    'collation'=>Config::UTF8_GENERAL_CI,
    'fetch'=>Config::FETCH_CLASS
]);

Now, using a simple query, we can get the list of people whose birthday is today.

$list = DB::table('users')
        ->month('birth_date', date('m'))
        ->day('birth_date', date('d'))  
          ->get();

See the GitHub repository and documentation at the link below.

FoxDB Documentation

Download photo from Telegram Bot !

Benyamin Khalife — Fri, 23 May 2025 11:11:11 +0000

In the last Changes in 2.0.0.beta2 version, we can download photos sent in the Bot from Telegram servers and save them on our own server

Install the Botfire library using Composer:

composer require botfire/botfire:2.0.0.beta2

To download a photo:

// Where to store photos on the server
$dir = __DIR__.'/photos/';

Bot::message()->photo()->last()->download($dir);

By executing the download method as in the example above, the file is saved in the path we specified in $dir

With the forEach method, we can iterate through all the images of different sizes.

    Bot::message()->photo()->forEach(function(Photo $photo)use($dir){
        $name = $photo->getWidth().'_@name';
        $photo->download($dir, $name);
    });

In the line $name = $photo->getWidth().'_@name'; we customize the filename. We add the width value to the beginning of the filename.
The @name expression in the download function is replaced with the original file name, giving us more flexibility in renaming the image.

I think the same structure would be suitable for other file types as well. So audio, video, and other types should be implemented and appropriate comments and documentation should be created for them.

Send and receive photo from the Telegram bot

Benyamin Khalife — Mon, 19 May 2025 16:07:39 +0000

The next important feature that needed to be implemented was the ability to send photos.

Sending photos in a Telegram bot with BotFire

There are three ways to send a photo.

Send via link

For example, we have a picture that can be downloaded from the address https://download.samplelib.com/png/sample-bumblebee-400x300.png. Using the link, the file can be sent to the bot.
Example:

$link = 'https://download.samplelib.com/png/sample-bumblebee-400x300.png';

Bot::new()->photo($link)->send();

Send photo contents

In this method, our file does not need to be accessible via a link. Our file exists somewhere on the server and can be sent using Bot::inputFile.

Example:

$file = Bot::inputFile(__DIR__.'/assets/test.png');
Bot::new()->photo($file)->send();

How to add a caption to a photo?

Bot::new()->photo($file)->caption('Hello caption 😃')->send();

Receive a photo from the client in the bot

To find out whether the type of message the client sent to the bot is a photo or not, we can do the following:

if(Bot::message()->type() == Message::TYPE_PHOTO){
 // ...
}

If the client has sent a photo, we can access its information through the photo method.

Telegram sends us a file_id which contains a unuque identifier and if you save this identifier you can send the photo later without having to upload it again (more information)

if(Bot::message()->type() == Message::TYPE_PHOTO){

  $file_id = Bot::message()->photo()->first()->fileId();

}

Telegram sends us an array of images of different sizes, the first one being the lowest and the last one being the highest resolution and size.
In the example above, we received the first one. Other methods are also available.

Method	Description
first	Returns the first value
last	Reterns the last value
count	Number of arrays
indexOf	Returns the value based on its index.
asArray	Returns the entire array in its entirety.

If the photo has a caption, you can get it like this:

$caption = Bot::message()->caption();

If there is no caption, it returns null.

Now, if you have access to the file_id, you can resend that image in the same way as explained:


$file_id = $file_id = Bot::message()->photo()->last()->fileId();

bot::new()->photo($file_id)->caption('New Caption ...')->send();

Managing CallbackQuery and message types in Telegram bots

Benyamin Khalife — Sat, 17 May 2025 18:29:37 +0000

Continuing from the previous article, this time I will describe the changes I made to the library.

The user in the Telegram bot can send different types of messages, such as text messages, photos, videos, etc. In some cases, we need to know what type of message the client has sent so that we can respond to it accordingly, or perhaps we need to limit the type of message for the client

So, a method had to be created to detect the type of message sent by the client, and as a result, the message type could be received using the following method:

$type =  Bot::message()->type();

I think this is a clean and simple syntax, don't you?

The values it returns are one of these:
'text', 'photo', 'video', 'audio', 'document', 'sticker', 'animation', 'location', 'contact', 'poll'

I also put the consts of these types in the message method, which are:

const TYPE_TEXT = 'text';
const TYPE_PHOTO = 'photo';
const TYPE_VIDEO = 'video';
const TYPE_AUDIO = 'audio';
const TYPE_DOCUMENT = 'document';
const TYPE_STICKER = 'sticker';
const TYPE_ANIMATION = 'animation';
const TYPE_LOCATION = 'location';
const TYPE_CONTACT = 'contact';
const TYPE_POLL = 'poll';
const TYPE_MESSAGE = 'message';

These constants are accessible from the Message class, so creating a condition to check the type of user message could look something like this:

if(Bot::message()->type() == Message::TYPE_TEXT){
    // Do something.
}
else{
    Bot::new()->text('Please send your message as text.')->send();
}

What is your opinion about this structure? I would be happy if you share it with me.

Detecting a query callback in a Telegram bot

There is another type of message. When the client clicks on an inline button In this case, Telegram sends us a Callback that also contains the data object of that message.

I created the isCallbackQuery method for this purpose, which can be used as follows:

if ( Bot::isCallbackQuery() ) {

    $data = Bot::callback()->data();

    Bot::new()->text("🛜 Get Callback Query:\nData : $data")->send();
}

So if the value of Bot::isCallbackQuery() is true, we know that the client has clicked a button. In this case, we have access to the callback method and we can get the data of the button that the client clicked using Bot::callback()->data()

View on GitHub: BotFire

This library is under development and is not yet ready for use.