Skip to content.

Scott Arciszewski

Software, Privacy, Security, Innovation

A Crusade Against Bad Code

Aniruddh Agarwal blogged A short tour of PHP, and this is one of the negatives he identified:

Community: I know. I said that PHPs community was an advantage to it, but it is also a disadvantage, because of BAD CODE. Beginners are not taught the best practices and they go on to write bad code and distribute it, either as answers on Stack Overflow or similar websites or blog about it, which encourages other beginners to adopt those practices. There is a lot of misinformation out there, and it is very difficult to separate the good from the bad. This is perhaps the worst thing about PHP, because PHP is an entry-level language and people learning it are usually not aware of the best practices.

This is spot on!

The existence of BAD CODE being copied and pasted by newcomers is probably the biggest source of exploitable security vulnerabilities in the entire industry.

The biggest offenders are often the highest ranking search results on Google and other search engines:

For the good of the PHP developer community and the future generations that have not yet joined our ranks, I believe it's high time we cleaned up our act. Neophyte developers should be more likely to run into secure, well-written code than swiss cheese written by people who don't understand application security.

Therefore, I propose the following strategy:

  1. Fix the bad advice on Stack Overflow.

    How do you safely store a password, server-side?

    If you said anything other than scrypt, password_hash(), the PHC winner, or a well-written bcrypt-base64-sha2 class (e.g. password_lock or \Zend\Crypt\Password\BcryptSha), you are wrong.

  2. Stop Linking to W3Schools, PHPClasses, HotScripts, etc. Start Linking to Better Solutions.

    Simply put: The less Google trusts bad websites, the lower they'll appear in the search results.

    This might involve a mass takedown campaign, where everyone logs into their old message board accounts and replaces links to these shitty code dispensors with links to better solutions.

  3. Contact Bloggers and Tutorial Authors

    Explain the situation, request a preface/disclaimer for all of the security problems their old blog post can introduce into a project. If the blogger is clever, they'll write a new article explaining how to do it the 2015 way and link to that in their preface. If they don't have the time or energy, ask them to link to an external page that provides a better answer.

Ultimately, the proliferation of buggy and insecure code is only going to create more problems as time goes on. The wound is festering; it needs to be sanitized.

Let's Set Better Examples for Developers To Learn From

Let's Clean Up the Bad Code and Make the PHP Community Better.

Blog Archives Categories Latest Comments

Want to hire Scott Arciszewski as a technology consultant? Need help securing your applications? Need help with secure data encryption in PHP?

Contact Paragon Initiative Enterprises and request Scott be assigned to your project.