That is pretty atrocious - I was very meticulous about issues like that (verifying ownership of resources before modifying them!) when I writing a what I knew to be an amateurish ecommerce system, with 9 months of PHP experience. No CS degree, nobody to help me. If they're doing stuff like this, the security situation is even worse than people are saying. If you can't get the huge grain issues even remotely right, the fine grained stuff is sure to slide right past you.