Comment Re:Those aren't "programming" mistakes... (Score 1) 213
I half agree. Some of the items in the list are indeed design mistakes, but others really are programmer mistakes.
The SQL injection one is the primary one I'm thinking is really a programmer error. Take this case from Drupal/PHP:
db_query("SELECT * FROM {foo} WHERE bar='" . $_GET['bar'] . "'");
That is totally incorrect and SQL can easily be injected into the statement from outside. When the API is used *correctly* this is not an issue:
db_query('SELECT * FROM {foo} WHERE bar="%s"', $_GET['bar']);
The difference is pretty subtle here and can easily be lost on newbies. As parameters to the db_query function, untrusted inputs are cleaned. I have seen the former code on several sites that I took over from a former developer, they are certainly NOT design errors.