The articles recommends using a form of HMAC and not MD5 directly. The first code example is just a basic example of what the general concept behind is.

I guess this is yet another reminder that the first example sticks (waterfall model).

That particular case isn't vulnerable to length extension, since the key is placed at the end of the message. This MAC breaks down, however, when the function used is not collision-resistant.

HMAC offers some level of protection against collision-weak hash functions, and that's why you can still use HMAC-MD5 today and be pretty OK (although I don't recommend it!).

If it was `message = payload + "." + MD5(secret_key + payload)` then yes, it would be vulnerable.

It is `message = payload + "." + MD5(payload + secret_key)` though, so it is not vulnerable. The attacker cannot extend the payload part.