Old documentation
I think one of the biggest problems for PHP is outdated documentation. As someone who's not a coder but needed to get something to work I found an example in php that did the trick, this happened several times and so when coming to build something bigger it started becoming my go to, especially as these are internal things never to see the light of a public network it was fine.
Down the line I need something public facing and oh god how many security holes are in these examples I'm reading through, like, fixed decades ago but still showing the old way in recently posted tutorials.
My film club needed a way to handle rsvp's since covid struck and we had to limit to 14 people, nothing I could find (in our budget of three beans) could handle rsvps with a cap and a waitlist so I was like, hey, that sounds like something I could probably bash out in an evening with a bit of copying from stackoverflow for the hard bits. Go out and look for "php user login system" and see how many examples have any SQL injection protection. Like, pdo with binded variables will leave a SQL injection dead in the water (as far as I've read) but barely any example uses them and only a few having a passing mention that the end user might want to look up about security - the end user who needs to google how to do a login page, they're not going to grasp the wider issue at hand here.
I'm sure I've made several other beginner errors (hence not linking it here as an example), especially with post or global variables (I've worked around get variables at least) and although I think I sanitise everything, I don't really know, and I guess I'm not the only person in this boat, just might be old enough to at least wonder about security rather than just be happy I got shit up and running.
But, as I have a day job (that seems to like to be an evening job fat too often), really digging in to the security isn't something I have time to do and, a little, the inclination, given the wording of a lot of the documentation I do find isn't very accessible to someone starting out, which is kinda counterproductive, given we're the ones who're going to make the biggest mistakes? Trying to teach someone security once they've got their bad habits well and truly ingrained seems a poor choice.
Biting the hand that feeds IT
