[ceejayoz]

C'mon. Their "PHP MySQL Insert Into" tutorial (http://w3schools.com/php/php_mysql_insert.asp) uses direct $_POST data with no escaping. No mention of security is made in the entire "PHP Database" section.

These tutorials need a massive red flashing warning saying "we've left critical stuff out, you will get your site defaced if you code like this".

Newbies don't need to be expected to know good code. That's no excuse for presenting actively dangerous examples to them with no warning.

[qubot]

Good code makes crappy tutorials. If I was a moron, I don't care if the examples inadvertently summons swarms of locusts if I understand them quickly.

Now, I would be all for W3Schools making their disclaimer more noticeable. It is there, though.

[ceejayoz]

> Good code makes crappy tutorials.

Not necessarily, and bad code can make dangerous tutorials.

[qubot]

> "Not necessarily, and bad code can make dangerous tutorials."

W3Schools is not responsible for what devs do, and safe code means introducing more concepts that can leave the scope of a tutorial.

I agree the code sucks, but we're talking about minimizing time to understand something, not security. Save that for the security tutorials.

[dorward]

How are people supposed to know that they need to go and find a separate security tutorial (and not a W3Schools one, they don't have one)?

Following that tutorial introduces massive security holes into a site. Those security problems need to be discussed. At the very least they need a warning saying "Don't do this until you understand the security issues discussed in THIS OTHER GUIDE".

[qubot]

> "How are people supposed to know that they need to go and find a separate security tutorial (and not a W3Schools one, they don't have one)?"

Whenever they realize they don't understand something. This could happen by reflecting on the material or after making a mistake.

> "Following that tutorial introduces massive security holes into a site."

I've touched on this on other parts of this page.

[dorward]

> Whenever they realize they don't understand something.

Which is quite likely to be when their customers' data gets leaked or altered. That's a really bad time to discover a hole in your understanding.

[kamjam]

If people, beginners or not, come to w3schools and take it as the bible then they are in the wrong field and need to quit NOW.

I'd say it was fairly obvious that this is a bare bones basics site (I used it, albeit about 10 years ago) that needs to lead on to something else...

But granted they should may be put in a "next steps" type section of things people should read in to further.

[andrewfelix]

So true. Imagine your primary school art teacher telling you you were ignoring centuries of established neo-classical techniques by holding the brush wrong.

[ceejayoz]

This is more like your primary school art teacher letting you stick the brush through your eardrum without saying anything.

[CamperBob2]

To the extent good code makes crappy tutorials, the language is what's broken.

An unproductive comment, but I think it's a defensible one.

[qubot]

The problem is nuance, which involves all those little wow-I-wish-I-knew-THAT tidbits that students never learn about until a forum member or colleague hollers at them.

Languages cannot eliminate every subtlety in their use, and there will always be issues that call for more articles explaining how to sidestep them. Novices won't normally get to see this content, and it won't help them to shove it all down their throats at once back at the introductory level courses.

There's a reason most physics students hear about Newton first.