Yeah, it is farrrrrrrr too easy to make really bad code in PHP.
There are a lot of bad tutorials around which are also vulnerable to these sort of things, which does not help new programmers. People do not treat security as an important part of the learning process, it's more of a "what you'll learn later when you get good!", which leads to bad, bad things happening.