It appears that PHP, upon seeing an incoming parameter with a name that ends in [something] (where something may be empty), automatically turns that variable into an array.
How many of you PHP developers out there knew that? I didn't. And I had to dig quite a bit to find a reference to this behaviour in the docs.
So, incoming stuff from the URL or the POST data are no longer strings all the time. Can they magically become other things than strings and arrays as well? Maybe not now, but what if some PHP developer thinks up another "nifty" feature _after_ I read the docs; how then am I supposed to protect my application in the future? Do I need to re-read the docs every time I upgrade PHP?
And is there a way to turn this "we know better than you what you need"-behaviour off?
I'm sick of seing framework developers add "nifty" features that you have to know about in order to write secure code. It's not only PHP, but also several highly popular Java frameworks that I work with these days. Some of them make it quite easy to write to object fields that are normally out of reach of the input fields in a form.
I want a framework that makes it impossible to make mistakes, and where you have to _enable_ potentially dangerous features when you _know_ you need them, rather than _disable_ potentially dangerous features most people don't know about (or use).