re: Yes, although it's mostly a front-end issue. On the back-end if you try to access DB data in a non-async way you'll quickly realize that the data i...

The kind of issues that PHP enables are more like "let's execute this unfiltered user input" which is way more dramatic than a randomly-bugged front-end component.

Validating the user input is anything but trivial. But I don't think Javascript is doing it better. AFAIK, MVC c# it does it right, we could validate the type, the long, if it is present or not and such.

There are some libraries that do this job but natively both languages don't do their duties.



Oh well, I assumed that frameworks would make sure that req.param('name') is a valid unicode string while $_GET['name'] can be any string of bytes but maybe I'm expecting too much?

In any case, you can write stupid code in all languages. But to be specific to the $_GET issue, it's so easy to break encapsulation using it (because it's global). Same thing with $_REQUEST, what is the point of this except getting X-whatever-scripting attacks from all sides?

PHP is just next-level compared to anything else in terms of possible misuses.

Code of Conduct Report abuse