Software is hard

Like many PHP developers, I'm pretty much self-taught, having started as a hobbyist. Commonly enough, I had a specific need - I wanted to write a cycling advocacy site, and PHP was an easy way to get started - after all, it was just a matter of adding a bit of code into a webpage, and I already knew HTML...

And that's one of PHP's main problems. It's too easy; anyone can write it, without knowing more than the first thing about code. People write low quality or insecure code in the language, so it gets called low quality and insecure itself.

It isn't. Previous versions had their problems, certainly, but PHP5.1 - while not perfect - is an extremely powerful, usable and versatile language. You can write extremely high quality applications and websites in it and manage code testing and documentation very powerfully and effectively.

The problem is that not enough people know how. And perhaps more critically, many of them don't know that they don't know. I don't know what the current state of software engineering teaching is like in universities, but in my day (excuse me if I sound old) we did some C that we knew would run in a trusted, single-machine, secure environment. This was around the time when someone had the bright idea of creating a "common gateway interface" that would let people put back-end applications on those new-fangled web servers! Revolutionary stuff indeed, and long before the days when people even thought of the security requirements of globally exposed, network-connected software.

Back in those junior days there was a youthful innocence - an extreme naivety in fact - as to the vulnerability of code. It wasn't widely realised that servers could be compromised via web apps, and so no-one coded in security. (On a slightly tangential note, the servers hadn't really got the concept of dropping privileges either, and we scared seven shades out of our sysadmin one day when we SSI'd /etc/passwd from a user account).

Unfortunately, many coders - particularly junior ones, although the flaw often seems to survive years of "experience" - still seem to live in those innocent times. When interviewing applicants a few months back I found far too many who didn't know what injection attacks, XSS or CSRF were, and couldn't spot them in example code. And it's precisely that lack of knowledge that's dangerous.

It's not just in security issues that knowledge is lacking, either. Design patterns are still a black art to the majority of coders, and version control and unit testing considered eccentric luxuries. Most revealingly, while everyone knows that OOP is good, few people seem to understand quite why they're using it, or just where its strengths lie.

It must be acknowledged that a lot of coders do seek to learn more, but it can be an uncannily difficult task. There's no shortage of instructional books and websites available on coding, writing websites, and so on, but their availability is massively skewed towards beginners. Even finding intermediate material can be challenging, and finding genuinely advanced material can seem like a needle-in-a-hayfield task. At least, until you find some experts, who can often be almost as well hidden.

This invisibility of good material means that a lot of mid-level coders don't really appreciate how much there is to be learned. Most of the books available tend to be references, and while there are tomes on "software engineering", this is too often considered to be the preserve of desktop applications, million-user sites, or "heavier" languages. It's not. PHP benefits from skilled software engineering and careful process as much as any language, and the techniques that make million-user sites more secure, and their codebases easier to extend, apply just as well to the company intranet or the hobbyist's project (which, these days, could very easily become the Next Big Thing).

So where to look? Schlossnagle's Advanced PHP programming is a fine example of the rare breed of advanced PHP books. But you don't by any stretch need language-specific books, or even, in many cases, particularly modern material. One of the best books on coding I've ever read - and I *wish* I could recall the title - was in its 25th anniversary edition when I read it about 4 years back. "No silver bullet" is 20 years old but at least as valid now as when it was written - and it cites sources going back 10 years. The Gang of Four's Design Patterns is 11 years old and still a primary source.

But you don't have to raid the archives to find good information. PHP bulletin boards and IRC channels may be strongly weighted towards beginners, but if you have a local PHP group (such as PHP-London) you'll find it well populated with skilled developers, many of them the authors of significant open source projects, technical books or articles in such magazines as PHP|architect (a great magazine, but don't bother with hardcopy if you're outside the US). As for advanced websites, Joel on Software is an excellent example.

The most critical aspect, however, is the attitude. We all pass though a phase when we believe that to keep up in this industry we need to continuously learn and study. Then, as with any activity - from photography to flying aircraft - there's a plateau (colourfully called the "death plateau" in the latter case) where we think we know enough. There's a risk of self-congratulation, and we lose momentum. And then - hopefully without having our site hacked or catching hill disease - we realise that there's still a lot more to learn.

And that's the key point of this piece. I've "taken a rest" a bit from studying coding in the past, and been ignorant of the use and even the existence of advanced knowledge. Hopefully in writing this I can push a few of you forward past this plateau, and save you a few hacked websites, a few failed job applications, and a whole load of legacy code headaches.

I'll write more later on various aspects of software development skills and processes, but for now I'll leave you with a small reading list, to add to those items linked above:

Posted by parsingphase, 2006-10-19 21:01

Anonymous user



Contact Richard