I wrote my first PHP script 20 years ago. It was a forum: the kind where users could register, post threads, reply to each other. Looking back at the code now is genuinely uncomfortable. SQL queries sitting inside HTML. No password hashing. Variables called $x and $temp and, at one point I am not proud of, $temp2. But it worked, and 16-year-old me thought that was basically wizardry.
What I Got Wrong
Pretty much everything, if I am being honest.
I concatenated user input straight into SQL queries because I had no idea what SQL injection was. Nobody had told me, and I had not thought to ask. Passwords went in as plain text because hashing seemed like something "real" developers did, not me. PHP and HTML lived in the same file because the idea of separating them had never occurred to me. Why would you?
Here is roughly what a typical page looked like:
<?php
session_start();
$user = $_SESSION['user'];
?>
<html>
<body>
<?php
$id = $_GET['id'];
$result = mysql_query("SELECT * FROM posts WHERE id = $id");
while ($row = mysql_fetch_array($result)) {
echo "<h2>" . $row['title'] . "</h2>";
echo "<p>" . $row['content'] . "</p>";
}
?>
</body>
</html>
No escaping anywhere. No validation. Just raw $_GET values dumped straight into a query. The fact it ran at all was luck, not skill.
What I Did Not Know I Did Not Know
Security was not even a concept in my head. I knew passwords should probably be hidden from other users, but I did not think about what "hidden" actually meant in practice. XSS, CSRF, session fixation: I had never heard any of those terms. The forum got hacked twice in its first six months. Both times I had no real understanding of how it had happened. I changed some things, crossed my fingers, and kept going.
Version control did not exist in my world either. I edited files directly on the server over FTP. If something broke, the fix was to stare at the code and try to remember what I had touched. I once overwrote the entire user authentication system with an older version and did not notice for three days. The backup was my memory, which, it turns out, is not a reliable backup strategy.
As for learning resources: PHP.net, a few forums including PHPBuilder, and other people's source code. YouTube had technically launched in 2005, but it barely mattered: internet connections were so slow that streaming video was a joke. A two-minute clip could take the better part of an hour to buffer, assuming it loaded at all. Most people I knew were still on dial-up or early ADSL that struggled to hold a connection. Stack Overflow did not exist yet (it launched in 2008), and neither did GitHub. Subversion existed, as did CVS, but nobody in my circle was using them for personal projects: version control felt like something for big teams at real companies. You figured things out by reading whatever messy code you could find and trying stuff until it stopped throwing errors.
The Function Names Still Annoy Me
PHP's function naming has always been a bit of a disaster, and it was worse in 2006. mysql_fetch_array versus mysql_fetch_assoc: similar names, different behavior, and I mixed them up constantly. htmlspecialchars versus htmlentities. Why are both of those necessary? The one that really got me was strpos. It returns false if the substring is not found, but returns 0 if it is found at position zero. So if (strpos($str, 'foo')) silently fails when the match is right at the start. You have to use === false to be safe. I spent an embarrassing number of hours on that specific bug.
The language did not help beginners understand this stuff. It still has rough edges, honestly, but at least now there are tools like PHPStan and Psalm that catch a lot of it before you ship.
What I Would Tell 2006 Me
Do not panic about making it perfect. Your code is going to be rough regardless, and that is fine. Write it, ship it, break it, fix it. That loop is where the actual learning happens.
Do panic about SQL injection, though. Not later. Now. Use prepared statements. They look scarier than they are. Learn them before you get hacked a third time.
Stop naming variables $temp. I know it feels fine in the moment, but three weeks later you will have four of them and no idea what any of them hold. Two extra seconds on a real name ($userId, $postContent) saves a lot of confusion later.
FTP is not a backup. Learn version control, something like Git or SVN. I know it seems like overkill: a whole version control system, just for you, just for a hobby forum? But it is not overkill. These tools are free, they run fine on your local machine, and the basic workflow is not that complicated once you get past the initial setup. You will understand exactly why it matters the first time you accidentally overwrite something important and have nothing to go back to. That moment will come. It is better to be ready for it.
Where It Ended Up
That forum is long gone: I took it down sometime around 2008, when the server bill stopped feeling worth it for 40 active users. But I think about it sometimes. Every bad decision in that codebase taught me something. The hack that I could not explain pushed me to finally understand how injection attacks actually worked. The lost authentication system made version control feel urgent rather than optional.
Twenty years on, I am still writing code. The stack has changed completely. But the basic rhythm has not: build something, watch it break in ways you did not expect, understand why, do better next time. The forum was a mess. It was also probably the most educational thing I have ever built.