Comply with ZDNET: Add us as a preferred source on Google.
ZDNET’s key takeaways
- AI repeated main sections in a mission-critical coding plan.
- Mission-critical coding work is just too dangerous to delegate to AI.
- AI is okay for brand new options, not core infrastructure.
I wakened in a chilly sweat. In my nightmare, I used to be being chased by tens of 1000’s of individuals, all of whom have been enraged as a result of I destroyed their privateness. They have been all holding laptops over their heads, swinging them like golf equipment supposed for my head.
They are saying nightmares replicate no matter your unconscious is making an attempt to let you know. Given the work I used to be planning to start out within the morning, I knew precisely what my darkish night time mind was making an attempt to say.
Additionally: I retested GPT-5’s coding skills using OpenAI’s guidance – and now I trust it even less
It was saying, “Cease!” Do not do it.” My internal realizing was screaming on the high of its lungs, “Do not let the AI code for you.”
This, consider it or not, just isn’t hyperbole. I used to be on the point of begin a coding venture the place I used to be planning on utilizing an AI for assist.
However not like all these vibe coding tales you examine the place somebody makes a Pinterest clone in 12 days of code-free immediate calisthenics, I used to be planning on making a deep architectural change to mission-critical code utilized by greater than 20,000 websites internationally to supply entry safety and web site privateness.
If I shipped broken code, it will, at finest, break a bunch of web sites. At worst, it will open the contents of these personal websites to the general public web.
Additionally: How I saved myself $1200 a year in cloud storage – in 5 sobering steps
Folks use my code to create protected, personal websites that they do not need shared with your complete web. Customers can designate particular relations, schoolmates, and/or lecturers who can log in.
It is also utilized by builders for locking down tasks in progress. Customers arrange personal take a look at websites behind login pages, which is nice for publishing restricted-access preview websites for consumer overview and use.
What the venture entails
So, let me let you know concerning the replace I used to be planning. Then I will share the work I did with the AI, after which why I modified my thoughts.
On the core of all of those websites is a collection of settings data. These data seize how every web site proprietor needs to configure their privateness. They embrace lists of pages to make personal or public, tags and classes used for a similar objective, and a wide range of different site-specific privateness settings.
Additionally: GPT-5 bombed my coding tests, but redeemed itself with code analysis
Settings are at present saved as one thing referred to as serialized arrays. Serialization is a means of taking a giant block of structured knowledge and storing it in a database discipline. However there’s an issue, not with the serialization course of, however with the unserialization course of, the place the info is reconstituted to be used by code.
More often than not, serialization goes on behind the scenes each time WordPress saves or updates a settings worth. It is a completely secure mechanism for settings administration. Nonetheless, there are some locations in my current code that explicitly serialize and unserialize unnecessarily.
The issue is that unserialize() will reconstitute just about something, together with malicious logic. That is referred to as PHP Object Injection. It is a vulnerability that may be exacerbated utilizing unserialize(). My code already does some checks to stop malicious conduct, however in a couple of locations, my code does its personal serialize/unserialize course of that opens up a slight vector of threat.
It must be famous that this vulnerability solely happens if one other current plugin or theme already has vulnerabilities and exploits put in within the system. Checks utilizing vulnerability scanners have by no means recognized such vulnerabilities in any of my code, however I would reasonably be secure than sorry.
Additionally: I tested GPT-5’s coding skills, and it was so bad that I’m sticking with GPT-4o (for now)
I need to replace my code to easily take away the few pointless makes use of of hand-coded serialization. It is a pretty simple course of that includes studying the outdated settings knowledge, updating it to the brand new format, and saving it again to the database.
Besides… not a lot.
Lots must be thought of when making this modification. First, after all, is that 20,000 websites use these settings. Any change needs to be sturdy, redundant, recoverable, and pretty clear.
It has to have some sort of pre-migration backup course of and a failure restoration course of. It has to work it doesn’t matter what order the settings are accessed and saved. Each setting that is up to date, checked, and resaved needs to be transformed all through 12,000+ strains of code.
Edge situations should be recognized, examined for, and factored into the code in order that no web site fails. Some degree of model administration needs to be added to the settings knowledge in order that newer variations of the code know what to transform, and older variations of code on different websites do not break.
It is lots. This isn’t ranging from scratch and making some kind of fairly web site utilizing AI. That is modifying code in current installations and ensuring each web site is ready to safely replace.
Getting an AI overview
Earlier than I thought of modifying the settings code to take away the objects I used to be involved about, I requested GPT-5 Thinking Mode Deep Research in ChatGPT, OpenAI Codex, Google Jules, and a lighter model of GPT-5 Deep Research.
(Disclosure: Ziff Davis, ZDNET’s mum or dad firm, filed an April 2025 lawsuit towards OpenAI, alleging it infringed Ziff Davis copyrights in coaching and working its AI programs.)
The final AI above was used as a result of I apparently exceeded a restrict, so my deep analysis question resulted on this message: “Your remaining queries are powered by a lighter model of deep analysis. Our full entry resets on Saturday. Improve to ChatGPT Professional to proceed utilizing deep analysis.” Since I had every week to attend earlier than I would get the total Deep Analysis AI again, I made a decision to rerun the question within the lighter model and see what it will do.
OpenAI Codex and Google Jules each phoned of their solutions. Codex gave me a brief listing of settings values in bullet type. Jules offered 4 quick paragraphs primarily saying that my code requests and receives values again from the database. Neither reply impressed me.
Earlier than GPT-5 Deep Analysis downgraded, I bought a 13-page doc that defined each mechanism, each discipline, and each choice utilized in my settings code. To be sincere, it was nearly overwhelming. It was clear and complete, nevertheless it was nearly too full. It offered essentially the most in-the-weeds particulars on the identical degree of precedence as the main ideas, making it tough to get a really good image of operations.
The lighter model of Deep Analysis gave me what I would contemplate the Goldilocks model. It was good. It offered the high-order structure and talked about the tiny particulars, however did not get sidetracked by them. I discovered it fairly helpful.
Planning for the main code change
My intent was to get the AI to code this settings repair. Earlier than Deep Analysis downgraded me to the lighter model, I had been working with its absolutely powered functionality.
Additionally: I went hands-on with ChatGPT Codex and the vibe was not good – here’s what happened
At that time, I wished to have Deep Analysis produce a plan of motion for making the change then feed that plan to both Codex or Jules. Jules is thought for growing a plan of motion for any coding process, however given how little it offered for the preliminary evaluation, I wasn’t assured it will be capable of suppose via all of the implications and levels crucial.
I had downloaded the aforementioned barely overwhelming 13-page “how settings work” element doc created by the absolutely powered Deep Analysis earlier than it downgraded. I handed that alongside to a brand new session.
The concept was to have one AI session analyze the prevailing code, after which have a totally completely different AI session take that evaluation to plan the precise modification course of.
Additionally: Google’s Jules AI coding tool exits beta with serious upgrades – and more free tasks
This time I requested it for a plan to provoke the improve. I gave it a really detailed immediate (looking back, probably too detailed), and requested it to create a product necessities doc (PRD) that might be given to Jules or Codex.
I bought again an 11-page doc with the next sections:
- Background and Targets
- Information Buildings Earlier than and After
- Migration Technique (with Model Monitoring and Failover)
- Plugin Interoperability and Partial Improve Dealing with
- Settings Administration Library API Design
- Edge Instances and Rollback Technique
- Plugin Interoperability and Partial Improve Dealing with
- Settings Administration Library API Design
- Edge Instances and Rollback Technique
- Deployment Issues
- Developer Notes for Codex/Jules
Do you discover something in that listing? One thing about it ain’t proper. Preserve wanting. You may see it.
Yep, it repeated three sections. Plugin interop, settings administration, and edge instances are repeated twice.
I do not belief the AI to do that
Now, look. I have been responsible of chopping and pasting and leaving some content material in two locations, however I am not an AI. I am additionally not being “interviewed” for the job of modifying mission-critical code.
Sure, there isn’t any doubt I might have eliminated the duplicate sections and nonetheless fed the PRD to both Jules or Codex. However the presentation error raised the hairs on the again of my neck. That PRD was a set of directions for one large coding change. What else was flawed with it? What may I’ve missed?
Additionally: 9 programming tasks you shouldn’t hand off to AI – and why
In spite of everything, once I code, I do one small function at a time. I take a look at out each line, sweat each element, and obsess over each change. However this was a giant doc that I might theoretically rubber-stamp and delegate the work to some pseudo-intelligence within the cloud.
I thought of this gorgeous deeply earlier than making a call.
I’m pretty comfy letting the AI add a brand new functionality or construct one thing from scratch. However diving deep into the bowels of mission-critical code? I am not prepared to surrender the reins.
Additionally: Coding with AI? My top 5 tips for vetting its output – and staying out of trouble
The draw back might be far too catastrophic. If the AI ran amok in my code, I may not even be capable of work out what went flawed. Positive, I might roll again all the way in which to earlier than I delegated the duty to the AI, however why take the possibility?
I need extra granular management. I am pleased to have the AI assist with writing a selected routine, doing coding for well-documented interfaces, and including some new non-mission-critical options.
However relating to core capabilities and issues that would flip nightmares of torch-wielding, laptop-swinging, indignant web site operators into actuality, I feel I will do the coding myself.
Keep tuned. I shall be utilizing the AI to code. And I’ll let you know about it. However I am not going to let the AI unfastened the place it might achieve this a lot injury so rapidly, for therefore little achieve.
Additionally: 10 professional developers on vibe coding’s true promise and peril
Have you ever tried letting AI deal with elements of your coding tasks? Did you belief it with crucial infrastructure or solely non-essential options? The place do you draw the road between comfort and threat? Tell us within the feedback under.
