On Fri, Jul 26, 2024, 04:58 Tim Düsterhus <t...@bastelstu.be> wrote:
> > I just Googled "PHP tutorial" and found https://www.phptutorial.net/ as > the second search result, which considers itself to be "the modern PHP > tutorial". > > I've clicked at the CSRF section > (https://www.phptutorial.net/php-tutorial/php-csrf/) and what do I find: > > > $_SESSION['token'] = md5(uniqid(mt_rand(), true)); > > *Exactly* the md5-uniqid construction that is called out as unsafe in > the RFC and used in a security context. > > Further down on the first page I find > https://www.tutorialspoint.com/php/php_mysql_login.htm, which does not > even hash the passwords that are stored within the database. At least > it's using `mysqli_real_escape_string()`. > > Then I have the German php-einfach.de, which on > https://www.php-einfach.de/php-tutorial/die-wichtigsten-php-funktionen/ > ("the most important PHP functions") lists md5() and sha1() as an > important function, but does not mention hash() at all. > > I'm sure I would find quite a few more, but I believe those already > support the point I was trying to make. > I don't think the examples you provided support the argument for deprecating these functions. If anything, they highlight the real problem: outdated tutorials being prominently featured in search results. As you mentioned, the MySQL login one doesn't even use a hashing function, so deprecating md5 and sha1 functions would do nothing to fix that! And how are these the top results? Are you telling me that the PHP community can't create better websites and SEO than these ancient tutorials? If someone encounters a problem because they can't use the md5() function, they're likely to Google it and find a simple workaround like "just paste this code and it'll work again." mentioned above. That would be just like this deprecation proposal: identifying the wrong solution to the actual problem. The real question is, why aren't there better, more up-to-date resources easily available for someone wanting to learn PHP in 2024? We're the PHP community, we should be leading the web and SEO. Yet most people looking to get into webdev today aren't reaching for PHP. I've seen recent videos where developers are positively surprised by PHP's modern features. But can we blame them for being surprised if these are the top tutorials out there? Deprecating these functions isn't addressing the core issue. The focus should be on making it easy for new learners to access up-to-date tutorials. Thanks, Peter
