Twenty Years Since My First PHP Script

#php#web-development#programming#career

I wrote my first PHP script 20 years ago. It was a forum: the kind where users could register, post threads, reply to each other. Looking back at the code now is genuinely uncomfortable. SQL queries sitting inside HTML. No password hashing. Variables called $x and $temp and, at one point I am not proud of, $temp2. But it worked, and 16-year-old me thought that was basically wizardry.

What I Got Wrong

Pretty much everything, if I am being honest.

I concatenated user input straight into SQL queries because I had no idea what SQL injection was. Nobody had told me, and I had not thought to ask. Passwords went in as plain text because hashing seemed like something "real" developers did, not me. PHP and HTML lived in the same file because the idea of separating them had never occurred to me. Why would you?

Here is roughly what a typical page looked like:

<?php
session_start();
$user = $_SESSION['user'];
?>
<html>
<body>
<?php
$id = $_GET['id'];
$result = mysql_query("SELECT * FROM posts WHERE id = $id");
while ($row = mysql_fetch_array($result)) {
    echo "<h2>" . $row['title'] . "</h2>";
    echo "<p>" . $row['content'] . "</p>";
}
?>
</body>
</html><?php
session_start();
$user = $_SESSION['user'];
?>
<html>
<body>
<?php
$id = $_GET['id'];
$result = mysql_query("SELECT * FROM posts WHERE id = $id");
while ($row = mysql_fetch_array($result)) {
    echo "<h2>" . $row['title'] . "</h2>";
    echo "<p>" . $row['content'] . "</p>";
}
?>
</body>
</html>

No escaping anywhere. No validation. Just raw $_GET values dumped straight into a query. The fact it ran at all was luck, not skill.

What I Did Not Know I Did Not Know

Security was not even a concept in my head. I knew passwords should probably be hidden from other users, but I did not think about what "hidden" actually meant in practice. XSS, CSRF, session fixation: I had never heard any of those terms. The forum got hacked twice in its first six months. Both times I had no real understanding of how it had happened. I changed some things, crossed my fingers, and kept going.

Version control did not exist in my world either. I edited files directly on the server over FTP. If something broke, the fix was to stare at the code and try to remember what I had touched. I once overwrote the entire user authentication system with an older version and did not notice for three days. The backup was my memory, which, it turns out, is not a reliable backup strategy.

As for learning resources: PHP.net, a few forums including PHPBuilder, and other people's source code. YouTube had technically launched in 2005, but it barely mattered: internet connections were so slow that streaming video was a joke. A two-minute clip could take the better part of an hour to buffer, assuming it loaded at all. Most people I knew were still on dial-up or early ADSL that struggled to hold a connection. Stack Overflow did not exist yet (it launched in 2008), and neither did GitHub. Subversion existed, as did CVS, but nobody in my circle was using them for personal projects: version control felt like something for big teams at real companies. You figured things out by reading whatever messy code you could find and trying stuff until it stopped throwing errors.

The Function Names Still Annoy Me

PHP's function naming has always been a bit of a disaster, and it was worse in 2006. mysql_fetch_array versus mysql_fetch_assoc: similar names, different behavior, and I mixed them up constantly. htmlspecialchars versus htmlentities. Why are both of those necessary? The one that really got me was strpos. It returns false if the substring is not found, but returns 0 if it is found at position zero. So if (strpos($str, 'foo')) silently fails when the match is right at the start. You have to use === false to be safe. I spent an embarrassing number of hours on that specific bug.

The language did not help beginners understand this stuff. It still has rough edges, honestly, but at least now there are tools like PHPStan and Psalm that catch a lot of it before you ship.

What I Would Tell 2006 Me

Do not panic about making it perfect. Your code is going to be rough regardless, and that is fine. Write it, ship it, break it, fix it. That loop is where the actual learning happens.

Do panic about SQL injection, though. Not later. Now. Use prepared statements. They look scarier than they are. Learn them before you get hacked a third time.

Stop naming variables $temp. I know it feels fine in the moment, but three weeks later you will have four of them and no idea what any of them hold. Two extra seconds on a real name ($userId, $postContent) saves a lot of confusion later.

FTP is not a backup. Learn version control, something like Git or SVN. I know it seems like overkill: a whole version control system, just for you, just for a hobby forum? But it is not overkill. These tools are free, they run fine on your local machine, and the basic workflow is not that complicated once you get past the initial setup. You will understand exactly why it matters the first time you accidentally overwrite something important and have nothing to go back to. That moment will come. It is better to be ready for it.

Where It Ended Up

That forum is long gone: I took it down sometime around 2008, when the server bill stopped feeling worth it for 40 active users. But I think about it sometimes. Every bad decision in that codebase taught me something. The hack that I could not explain pushed me to finally understand how injection attacks actually worked. The lost authentication system made version control feel urgent rather than optional.

Twenty years on, I am still writing code. The stack has changed completely. But the basic rhythm has not: build something, watch it break in ways you did not expect, understand why, do better next time. The forum was a mess. It was also probably the most educational thing I have ever built.

FAQ

Q What would you build differently today?
A I would use a framework like Laravel or Symfony instead of writing everything from scratch. Modern PHP has proper routing, ORM, templating, and security built in. Back then, frameworks existed but were not as mature or widely adopted.
Q Is PHP still worth learning in 2026?
A PHP has had "dying language" written on its tombstone since about 2010 and yet here we are. PHP 8.x is genuinely good: typed properties, enums, fibers, match expressions. It is a different language from what I was writing in 2006. Laravel in particular has made PHP competitive with Rails or Django for building web applications. That said, if you are starting from zero, JavaScript or Python will open more doors faster. Learn PHP when you have a concrete reason to: a WordPress codebase to maintain, a Laravel project to contribute to, a job that requires it. It rewards that kind of purposeful learning better than it rewards learning it speculatively.
Q What resources existed in 2006?
A PHP.net documentation, a few scattered tutorials, and forums like PHPBuilder. Stack Overflow launched in 2008, so that was not yet an option. YouTube existed but internet was so slow that streaming video was barely usable: buffering a short clip could take an hour. No GitHub either. Subversion and CVS existed as version control options but most hobbyists had no idea those tools applied to them. You learned by reading other people's messy code and a lot of trial and error.
Q How long did it take to build the forum?
A About two months of evenings and weekends. Most of that time was spent figuring out how sessions worked and why my SQL queries kept breaking. If I built the same thing today with a modern framework, maybe a week.
About the Author

Asaduzzaman Pavel

Software Engineer who actually enjoys the friction of well-architected systems. 15+ years building high-performance backends and infrastructure that handles real-world chaos at scale.

Open to new opportunities
GitHub LinkedIn Email Resume

Comments

  • Sign in with GitHub to comment
  • Keep it respectful and on-topic
  • No spam or self-promotion