I started a PHP program seven years ago and it has grown extensively. While being evaluated by a co-worker who is a full-time programmer, he made the comment:
"It is written in "raw" PHP. Raw PHP is known for security holes that other web frameworks mitigate without programmer intervention (SQL injection especially)."
My question, is his first statement correct -- "Is PHP known for security holes?"
My second question, what are some bad practices that would make my code vulnerable to SQL injection?