I have seen productive systems over which money in the tens of thousands of Euros came in which had hidden fields in the HTML containing complete SQL queries which even included the price (apart from the obvious downfall of enabling someone to just POST a 'DROP TABLE' statement, etc.). I have seen systems with something like static 5-digit user authentication tokens that would show up in the URL; You could just sit behind an admin, note the token and be an admin forever. And of course I have seen the ugliest, completely unmaintainable mess of code that would be humanly possible, with no documentation whatsoever (of course).
To be fair, only the last thing you list could but doesn't have to apply to PHP, and mostly refer to incompetent practices which could be applied with any language. I'm not going to be a PHP apologist, But I do remember a couple of weeks when it looked like every day there was another exploit in Rails (which is not Ruby blah blah blah) or a problem with exposing app tokens or something. Do I get to say Ruby is a toy language because at some point the YAML parser allowed for remote code execution?
Of course not, because that problem's been (I assume) fixed. The SQL libraries are being deprecated in PHP, it's had parameterized queries for a while. You can do secure cookies and sessions. People just don't -- it's not as integrated a community as with Rails and Python. You can't just say "everybody update your repos" and then the problem goes away, unfortunately. But that's an issue with education, and deployment, not necessarily the language.
I also heard from a friend who had to fix something in the C-code making up php about hundreds of lines of codes being copypasted to different locations twelve times. While I haven't verified that for myself, it's not something I'd be surprised about.
To be fair, only the last thing you list could but doesn't have to apply to PHP, and mostly refer to incompetent practices which could be applied with any language. I'm not going to be a PHP apologist, But I do remember a couple of weeks when it looked like every day there was another exploit in Rails (which is not Ruby blah blah blah) or a problem with exposing app tokens or something. Do I get to say Ruby is a toy language because at some point the YAML parser allowed for remote code execution?
Of course not, because that problem's been (I assume) fixed. The SQL libraries are being deprecated in PHP, it's had parameterized queries for a while. You can do secure cookies and sessions. People just don't -- it's not as integrated a community as with Rails and Python. You can't just say "everybody update your repos" and then the problem goes away, unfortunately. But that's an issue with education, and deployment, not necessarily the language.
I also heard from a friend who had to fix something in the C-code making up php about hundreds of lines of codes being copypasted to different locations twelve times. While I haven't verified that for myself, it's not something I'd be surprised about.
Well... then that's just, like, your opinion man.