Teaching Bad Practice
10 Jan 2007
I subscribe to the WSG reading list, an entertaining and informative round up of web-standards-related articles and blog posts. The usual IE bugs, interviews and handy tips, but one thing caught my eye this week was a PHP tutorial on handling forms.
Let’s take a look…
This chapter covers the basics of creating HTML forms and how the form data is transmitted to your PHP script. It introduces several key concepts of real PHP programming, including how to debug and manage errors in your scripts.
Real PHP programming? Sounds good!
Unforunately it’s not. While it cover the basic mechanics of handling forms, it barely covers doing so responsibly.
What exactly is bad about it?
In the first examples register_globals is replied upon, a page or two later it does recomend you disable it, but no explanation of why register globals is considered harmful. This turn of phrase:
To combat register_globals being off, you need to use special variables like $_POST.
Is very worrying, suggesting register globals should be on, and no note of the positive aspects of using $_POST, $_GET, et al.
There’s no mention of magic_quotes or how it will potentially maim your data (if you’re using a database or not), for a basic form handling tutorial, i’m suprises this is skipped. A lot of people will be shocked when they enter a name with an apostorphe and a backslash appears out of nowhere.
No mention of not trusting, and where needed escaping, user data. Some people might consider this a bit ‘high-level’ for a relatively simple example, but I can’t help but think this is exactly when tutorials should mention these considerations and the associated dangers of XSS.
Would it really confuse a reader to recomend the use of htmlentities() or strip tags()? Or at least mention them.
Although some people would disagree with me, it’s a terrible idea to just throw all your PHP code straight in the middle of the body and start using print statements, let alone setting error_reporting mid page.
PHP was designed to be easily embeded into a page, and there’s nothing complicated about switching out of HTML to PHP to print variables, if anything that could be easier to grasp.
More importantly it shows the division between PHP and HTML, which to so many developers is a very blurry line.
Considerations
It may seem i’m being a little unfair this particular article - not everything i’ve mentioned is targeted at it - in it’s defence, at least mentioning error_reporting deserves praise.
Alas it has acted as a trigger for my frustration about the general quality of PHP learning material.
I’m also aware this article is an extract from a book, but it will found and treated as a stand alone guide just as the WSG list has done.
Giving PHP a bad name
One of the reasons PHP is looked down upon is the sheer number of poor programmers who use it, to disasterous results.
This is caused in part by the low entry barrier of PHP compared to some other languages, but also because it so many tutorials, books, etc just teach PHP badly! It’s very easy, even for good programmers to create truely shocking code because ‘thats what a guide said to do’ and they’ve not been told different.
It comes down to this; Garbage In, Garbage Out - If you’re not teaching good practice, you’re teaching bad practice and others are following what you say, either way.