Oh well, I assumed that frameworks would make sure that req.param('name') is a valid unicode string while $_GET['name'] can be any string of bytes but maybe I'm expecting too much?
In any case, you can write stupid code in all languages. But to be specific to the $_GET issue, it's so easy to break encapsulation using it (because it's global). Same thing with $_REQUEST, what is the point of this except getting X-whatever-scripting attacks from all sides?
PHP is just next-level compared to anything else in terms of possible misuses.
For further actions, you may consider blocking this person and/or reporting abuse
We're a place where coders share, stay up-to-date and grow their careers.
Oh well, I assumed that frameworks would make sure that
req.param('name')
is a valid unicode string while$_GET['name']
can be any string of bytes but maybe I'm expecting too much?In any case, you can write stupid code in all languages. But to be specific to the
$_GET
issue, it's so easy to break encapsulation using it (because it's global). Same thing with$_REQUEST
, what is the point of this except getting X-whatever-scripting attacks from all sides?PHP is just next-level compared to anything else in terms of possible misuses.