I’ve been meaning to write about this for a few months, and although I know LLMs are evolving rapidly, I think it’s probably still relevant. (Let’s see ChatGPT pull off convincingly human snark.)
Earlier this year, I received an email from a client.
First, I should probably just mention that I have different types of client relationships. The kind I prefer to have is one where I’m involved with their web project from the beginning. Those clients see the true value of what I offer. (And I don’t mean “value” as in “cheap.” I mean “value” as in “worth the premium price.”)
Then there are the clients who, for whatever reason, fell into a working relationship with me after their website was already live. I’m generally reluctant to take on ongoing support for websites I didn’t build, but for various reasons, it does sometimes happen. I still avoid it when I can.
Let’s just put it this way: I have never been hired to take over support for an existing site, logged in, and thought, wow, the person who built this is really good at making websites. There’s a reason the client stopped working with them. But. If that’s the past experience the client is bringing to their relationship with me, they probably think everyone who does what I do sucks. Usually I have the opportunity to convince them otherwise, but not always. Some clients come in with an unshakeable predisposition against anyone who does what I do… especially ones who charge my rates.
As you may have guessed from those last three paragraphs, the email came from one such client. They have apparently been working with someone else (cheaper) to redesign their site, but in the meantime (going on multiple years now) they’re still stuck with me making updates to the piece of garbage I inherited. But they definitely try to keep my hours to a minimum. Which, all things considered, I get.
So, it was funny when I received this email from the client. It included a couple of attachments, both plain text (.txt) files. The client said they had created a web form they needed me to post on the site.
Well, first of all, we have Gravity Forms installed on the site, as with every WordPress site I build that needs forms. So, why didn’t they use that? I have no idea.
I opened up the text files. One was actually an HTML file. It contained their form, and some JavaScript for conditional interactivity — showing/hiding certain fields based on the selections in other fields. It was clean code and it looked like it worked. I was… surprised. (No CSS though, and obviously no page layout elements.)
Then I took a look at the other text file. It contained PHP code. It was well-structured, valid code. Technically.
But… well… I kind of just have to show it to you (with identifying details redacted, of course):
<?php if ($_SERVER["REQUEST_METHOD"] == "POST") { $to = "redacted@example.com"; $subject = "Redacted Form Submission"; $message = ""; foreach ($_POST as $key => $value) { $message .= ucfirst($key) . ": " . htmlspecialchars($value) . "\n"; } $headers = "From: no-reply@example.com"; if (mail($to, $subject, $message, $headers)) { echo "Email sent successfully."; } else { echo "Email failed to send."; } } ?>
Although this may have been a reasonable “my first web form” tutorial for learning PHP in 2005, you can’t use this code today. Do not use this code today.
Aside from the fact that it’s not a complete page in itself — I mean, do you really want the confirmation after the user submits the form to just be “Email sent successfully” in Times New Roman, black text in the top left corner of a blank white page? Because that’s what would happen if this code ran as the response to the form submission — aside from that, this is missing so much that it would need to make it usable on a modern website.
Also set aside the fact that this is only coded to send off an email. No saving the information to a database, which you’d almost surely want on any database-driven website, especially given the current tenuousness email delivery, which I’ll get to shortly.
One safeguard is the fact that it probably wouldn’t even run successfully at all on most modern web servers, because few servers support the straight-up PHP mail() function anymore, because it’s so easy for spammers to abuse if they manage to hack into your site.
Even if the server does support the mail() function, you’ll never receive the email because, these days, any random web server that actually lets you use mail() is almost certainly already on every spam blocklist, or doesn’t have the necessary SPF, DKIM and DMARC DNS entries that receiving mail servers will check before accepting the incoming message.
Then there’s the fact that there is absolutely zero data validation or sanitization on the form input. It is trivially easy for hackers to abuse a script like this to inject arbitrary code, potentially granting them access to manipulate the contents of your database or even the server’s operating system.
Should I go on? I could go on. But I’ll leave it at that.
Here is where, Aristocrats-style, I deliver the punchline, which you’ve probably already deduced from the title of this post.
“Where,” I asked the client, “did you get this code?”
“ChatGPT.”
ChatGPT. Now, I know a lot of experienced developers these days are using LLMs to generate code, as an assistive tool to bootstrap their applications faster.
But those tools are only effective if you know how to write the correct prompts, and, critically, if you understand the code well enough that you can review it for accuracy and security before deploying it. These are not tools that are suitable for non-technical people to use to directly generate production code in 2025. Will they be someday? Probably. But we are nowhere near that point yet.
Fortunately, the client didn’t know how to install this code directly on their site, so they had to ask me for assistance with that final, crucial step. And I used the opportunity to inform them (more kindly and succinctly than here) why it was not usable as-is. It took me less than 15 minutes to replicate and test in Gravity Forms, and they were up and running with a functional, well-designed, and secure form.
So, again, please, if you don’t possess the ability to look at code and understand whether or not it will work, or what the security implications might be, don’t use ChatGPT (or any other AI) to write code.