How "vibe-coding" ruined the way i used to learn programming
AI/LLMs started out as a funny gimmick, or so I thought, but now they’re creating a growing crowd of second‑hand thinkers. A lot of users end up hallucinating right alongside their AI agents. Funny times we currently live in.
So, here’s a funny story about how one vibe‑coded‑app incident changed the way I look at the future of software.
IBM even calls Vibe Coding “VibeOps” in an article, haha!
I used to spend days figuring things out: researching, learning, and wrestling with complex programming problems. Now I started using LLMs for these issues, more than ever. At first, I asked for small code examples I could rewrite into my projects, but that slowly evolved into uploading entire files and getting back (supposedly) more efficient and better code. In the beginning I still verified everything the models spit out; crosschecking the documentation & internet boards to be sure it was correct. These days I find myself asking more and verifying less. Learning like this feels like cheating; nothing sticks the way it does after you’ve spent days on one f*kin issue. And don’t get me started on the lack of satisfaction.
Why learn if you can vibe‑code? It’s a sad (but increasingly common asked) question.
The online post that inspired me to share (and re-execute) this story:
A little over two years ago I also started using an LLM to rewrite the text on my websites. Looking back, I’m now reverting all those changes. What was once a quirky gimmick has become obnoxious. Any site I visit that’s 100 % AI-written is a site I skip. I currently only use an LLM for grammar and readability for text, as English isn't my native language.
However I'm very happy with the knowledge i gained before vibe-learning was a go-to thing. And that's where this funny story starts:
Finally, The funny story
First, some context: my friend is currently studying programming as part of his HBO-opleiding here in the Netherlands. He started, like me, with an MBO-opleiding. He finished his MBO; I didn’t. He then chose to move up to HBO, while I went straight to work and kept learning on my own.
Not long ago he showed me his project: a complete webshop with a back end, front end, and full ordering‑and‑stock system all completely vibe-coded. Then he made his big mistake: he asked me to “try it out.” I read that as “go ham, break it”… and so I did. But i never expected to get this far, and i won't tell you what grade he got either.
So let's start,
First we create a user account on his web-shop so we can actually place an order:
Actually the fun starts here already, loading this page sends an API request to /user. This API gives information about the current authenticated user. This is:
{
"id":3,
"name":"Sepp",
"infix":"",
"lastName":"JM",
"email":"breaking@seppjm.com",
"password":"$HASHED_PASSWORDxx5kr4ArWXq",
"admin":false
}We get the ID, name, email, current hashed password, and the is admin variable. Yikes...
Sending a PUT request with the JSON above and id changed let's me overwrite any existing user. Oops
Let's order something!
So i add something to my cart
And it apparently gets reserved in the back-end, so you can't order more then the stock. Thanks for telling me API!
So like any normal customer, i repeat the API call for reserving more than the actual stock of 1.
3 is perfect
And eventually i place the order
Let's see the order history;
Nice, the back-end didn't accept more then available stock, but did let me pay for it. Haha, that's what you get for trying to break it :P
But let's resend the request to the order API;
oops, we just created an exact same order without there being any stock...
So what do we actually send to the back-end order API?
{
"name": "Sjonnie",
"infix": "",
"last_name": "Customer",
"zipcode": "1111AA",
"houseNumber": 12,
"notes": "Need it ASAP",
"products": [
{
"id": 81,
"name": "[redacted]",
"price": 8999,
"description": "[redacted]",
"imgURL": "",
"imageUrls": ["", ""],
"createDate": "2025-07-21T09:38:21.767+00:00",
"brandName": "[redacted]",
"subCategory": "[redacted]",
"reserved": false,
"isReserved": true,
"amount": 3
}
]
}
That's allot of information, let's try editing stuff :)
Actually sending the redacted version already shows what happens;
I first thought i placed an order for a non existing item, but i was wrong. What just happened is fatal. You might've seen that we send the ID right? Yup, this API had just overwritten the original item in the database:
Whoops
So we end with placing an order for one last item, and adding it to the web shop by placing this order
{
"name": "Sjonnie",
"infix": "",
"last_name": "Customer",
"zipcode": "1111AA",
"houseNumber": 12,
"notes": "Need it ASAP",
"products": [
{
"id": 75,
"name": "Shrek",
"price": 888999,
"description": "Shrek is what it is",
"imgURL": "https://beam-images.warnermediacdn.com/BEAM_LWM_DELIVERABLES/d8702a49-eced-457f-87b5-afe881ee72a0/d1695cce67928ee0db0a45b81fdcb0a865ff51a8.jpg?host=wbd-images.prod-vod.h264.io&partner=beamcom",
"imageUrls": ["https://beam-images.warnermediacdn.com/BEAM_LWM_DELIVERABLES/d8702a49-eced-457f-87b5-afe881ee72a0/d1695cce67928ee0db0a45b81fdcb0a865ff51a8.jpg?host=wbd-images.prod-vod.h264.io&partner=beamcom", ""],
"createDate": "2025-07-21T09:38:21.767+00:00",
"brandName": "Shrek",
"subCategory": "ogers",
"amount": 1
}
]
}
order mail:
Proud owner of Shrek (to be shipped)
This is where i stopped as it was clear what the issues were.
Moral of the story?
Just because it works doesn’t mean it’s secure. Give end users little to no input beyond their own data. Assume every user could be a bad actor. Keep 99 % of the logic on the back-end and follow a basic “block everything except …” principle. Let them point and click while you handle the rest. We laughed our asses off, and my friend learned a thing or two.
Please be careful with vibe‑coding. But don't stop learning!
Proost,