Update 2015-07-22: The specific problems listed below have, for the most part, been remedied. More work remains to be done to clean up other instances of insecure code or bad security advice.

If anyone else finds themselves in the same situation, where there's an insecure code snippet in a high-scoring or accepted answer and your edits are being rejected by the reviewers, refer to the accepted answer. Go join room 11 and ask for help. Some of the moderators frequent this room and might be willing to help.

If anyone is unsure about whether or not a particular answer is secure, feel free to ask me ( security@ ).

The top results for a Google Search for php encryption are:

This is terrible.

Developers who come to Stack Overflow should be given better cryptography advice. Namely:

Unless you're a crypto expert, don't roll your own crypto in production. Instead, you want to use one of the following: libsodium (if you can install PECL extensions) defuse/php-encryption if you cannot Zend\Crypt if you're using a compatible framework

Use AEAD constructions where available, Encrypt-Then-MAC where they're not

Use /dev/urandom for encryption keys, IVs, nonces, etc.

I know Stack Overflow cannot control Google's search results, but we certainly can clean up the pages that users read when they click on popular answers.

This is not a general policy question about dangerous answers, it's a call to action to replace the bad security advice that users are likely to encounter with information less likely to leave them vulnerable.

One of my issues with the current state of things is that my edits are universally being rejected because I "should have submitted them as a separate answer instead". However, I can't answer closed questions. So even if I have a correct answer that will lead users to a better approach, I can't post it.

My attempts to remedy insecure code and bad cryptography advice have been rejected because they "changed the intent" of the original answer. What should be the correct way to promote better security practices here?