A Crusade Against Bad Code

README.md

Aniruddh Agarwal blogged A short tour of PHP, and this is one of the negatives he identified:

Community: I know. I said that PHPs community was an advantage to it, but it is also a disadvantage, because of BAD CODE. Beginners are not taught the best practices and they go on to write bad code and distribute it, either as answers on Stack Overflow or similar websites or blog about it, which encourages other beginners to adopt those practices. There is a lot of misinformation out there, and it is very difficult to separate the good from the bad. This is perhaps the worst thing about PHP, because PHP is an entry-level language and people learning it are usually not aware of the best practices.

This is spot on!

The existence of BAD CODE being copied and pasted by newcomers is probably the biggest source of exploitable security vulnerabilities in the entire industry.

The biggest offenders are often the highest ranking search results on Google and other search engines:

• Old Stack Overflow answers
• Outdated yet popular tutorials
• Ancient blog posts

For the good of the PHP developer community and the future generations that have not yet joined our ranks, I believe it's high time we cleaned up our act. Neophyte developers should be more likely to run into secure, well-written code than swiss cheese written by people who don't understand application security.

Therefore, I propose the following strategy:

Fix the bad advice on Stack Overflow.

How do you safely store a password, server-side?

If you said anything other than scrypt, password_hash(), the PHC winner, or a well-written bcrypt-base64-sha2 class (e.g. password_lock or \Zend\Crypt\Password\BcryptSha), you are wrong.

Stop Linking to W3Schools, PHPClasses, HotScripts, etc. Start Linking to Better Solutions.

Simply put: The less Google trusts bad websites, the lower they'll appear in the search results.

This might involve a mass takedown campaign, where everyone logs into their old message board accounts and replaces links to these shitty code dispensors with links to better solutions.

Contact Bloggers and Tutorial Authors

Explain the situation, request a preface/disclaimer for all of the security problems their old blog post can introduce into a project. If the blogger is clever, they'll write a new article explaining how to do it the 2015 way and link to that in their preface. If they don't have the time or energy, ask them to link to an external page that provides a better answer.

Ultimately, the proliferation of buggy and insecure code is only going to create more problems as time goes on. The wound is festering; it needs to be sanitized.

Let's Set Better Examples for Developers To Learn From

Let's Clean Up the Bad Code and Make the PHP Community Better.

As SitePoint's PHP editor, I'm 100% behind this and it's an initiative we've been trying to drive forward.

We've had a peer review system going for a while now, and it's improved the quality of our posts significantly. The system is open to all, so get in touch with me if you want an early peek at posts to be published, while helping to improve them. No obligations - even if you just skim a draft post and drop a comment, it's already priceless feedback, whether it be code, approaches, or something else you're commenting on. Let me know via email or this post if you'd like to join up.

We've recently upped our game and will be focusing a big part of our efforts on revamping older posts, too. I encourage everyone who notices bad practices in our posts to put a note in the comments section (we never delete non-spam posts, no matter how negative) and if you see actual mistakes, typos, bugs and so on please let us know via issues on this repo. We want to be better, with the community, for the community.

Yes! 👍 I fully agree.

I'd like to also point out something I almost always get criticized for. When I try to help someone and I can see they are a real beginner and obviously have missed out on some important steps in their own learning development, like asking for solutions to a problem in a manner, which clearly shows they are way in above their heads from a programming experience standpoint, at that point I don't spoon feed them the solution they are asking for, but rather, I tell them to go back to learning what they need to learn to fix it themselves.

You see, I believe in

"Give a man a fish, and he can eat for a day. Teach a man how to fish, and he can eat for a lifetime."

Too often sites like StackExchange, or any other online community with experts and helpers, motivate beginners to just throw out their problem like bait for a fish and too many good (and unfortunately sometimes bad) developers get hooked like a fish and simply throw back some solution. It is obvious though, the beginner can't even cast right.

The better answer is to simply ask the beginner to go look through teachings and not give them the direct solution. They should work out the answer for themselves. They should learn. This is especially true, when the problem/ question is formed in such a way that it is very clear the beginner didn't even try to find a solution on their own. That often gets an answer from me like, "Did you even try to solve the problem yourself?"

At any rate. My rule is, try to teach first and only give final solutions, when the person asking has obviously tried to solve the problem on her own and has an obvious grasp of at least some of the overarching concepts needed to understand the problem to begin with.

Scott

+1

This is a huge problem.

What really makes me shiver, is when companies that provide an API publish example code of bad quality.
People will always start with the example code and mistakes introduced there will appear in their production code.
That has been the case for the paypal api a couple of years ago for example.

Interesting points. This isn't a problem unique to the PHP world though. I mainly live in the microsoft/.net world and I've recently turned my attention to PHP. You describe a problem that I don't think has an easy solution. We need more mentoring in the industry. But companies usually want to hire the cheapest guy. Sometimes the cheapest guy might not know anything, but is really good at putting on a show. Now we have a proliferation of these boot camps that churn out developers in a matter of weeks. I'm a little worried about the future of software engineering based on current trends. Computer science enrollment was down for nearly a decade. There's going to be such a knowledge gap in the industry soon once the true senior software engineers begin to move into retirement.

+1

As a sitepoint Ambassador.... i'm in lets Clean up our mess

I'd like PHP The Right Way to split into multiple URLs so they can be linked to and ranked more specifically on Google than the current #anchor approach.

If anyone is interested, the repo is here: https://github.com/codeguy/php-the-right-way

This PR is quite on point with your message https://github.com/codeguy/php-the-right-way/pull/395/files

Could be cleaned up a bit

Aaaand this is very old too but in the same vein codeguy/php-the-right-way#341

@philsturgeon Given that there are 10 unresolved pull requests in codeguy/php-the-right-way, I'd hesitate to send one that breaks them all until they can be merged or closed.

As the Editor-in-Chief of Zend's DevZone, I am 100% behind this.

We recently re-launched DevZone and while we do have a lot of old content up, anything that is more than 3 years old carries a warning at the top letting the reader know that it is there for archival purposes only.

Cheers!
=C=

W3 Schools gets a lot of hate, but there are few good resources out there like it that target absolute beginners.

+1