Yes. The thing he did wrong IMO was to unleash a scripting language hiding in SGML-ish processing instructions without HTML-aware context-dependent escaping upon the world (when SGML has plenty of rules for delimiter recognition in particular parsing contexts), and then later make up for this with braindead quoting routines (like real_escape_string). In other words, the quick and dirty way was chosen, and that choice has plagued websites in the form of injection attacks (and DDOS using PHP injection attacks targetting even non-PHP sites) to this date.
