[FuzzyDunlop]

I think the major problem is PHP's 'noob friendliness'. To achieve that it goes out of its way to mitigate and recover from bad code and thus doesn't have a decent set of well known good practices to code against.

The huge vulnerability that opens up is that of data validation, and you can tighten up your server config all you want, but it won't mean shit without any of that.

Of course, since PHP is such a comparatively simple language, everyone thinks they're an expert once they know how to open a mysql connection (through the now deprecated bindings, of course) and code a simple blog script with basic CRUD functionality.

As a result, there's a 'simple/complicated' dichotomy when it comes to online documentation and tutorials, where the beginner developer ignores the complicated (and typically well thought-out) stuff, and goes for what they can easily copy and paste or get their head around.

Typically none of that code has any sort of validation or sanitisation. Half of it might go on about `magic_quotes_gpc` and `mysql_real_escape_string` and other PHP4-tastic curios, and the rest won't even mention that because checking user input is seemingly only related to db communication.

I feel pretty strongly about it because I've seen people post code snippets for PHP, trying to be helpful, but the code is dangerous. They serve better as examples of exactly what you shouldn't do.

And the one thing PHP beginners (and intermediates) need is better, simpler explanations of responsible coding practices, and how it isn't hard to do at all (it's only tedious); because the sooner they know, the better.

I should write a book or something.

[jasonlotito]

I know you aren't saying otherwise, I just wanted to add a bit to your "well known good practices" part. The fact is, in the professional PHP community, there are very much well established best practices (granted, not all our universal), but most are well established. The problem is, the leap from the beginning community to that professional community isn't natural. This is mostly a result of php.net catering to the beginner. It opens the doors to everyone.

Honestly, I feel there are a large number of quality sources for writing good PHP code. The problem is that isn't not all focused on PHP.

"everyone thinks they're an expert once they know how to open a mysql connection"

How true.

PHP is deceptively easy. It's akin to C, in that it will allow you to shoot your own foot if you ask it.

[FuzzyDunlop]

Yeah. I've also found that some well-known good practices might be well-known in an abstract concept but when it comes down to pure implementation it's a lot more murky.

Like you say though, that leap from beginner to experienced is so large as to make practical code examples rather scary, and you can't get anywhere if you're not confident with experimentation.*

The other problem is that there are many ways to skin a cat and one brilliant solution might be unworkable for another person. But that's just a characteristic inherent of any creative pursuit.

This thread's inspired me to try making a nice HTML5 presentation or something that outlines some of these practices as a beginner's aid. Like how Dive Into HTML5 really helps you learn what you can actually do with the new additions.

*It's surprising how many people won't experiment because they're worried about breaking something or blowing up their computer, and that irrational risk aversion just makes it difficult to learn what you can and can't get away with; and difficult to jump into the unknown.