PHP code that didn't use sanitize, but manually checked if strings contained ' or ". Not even in a function, but manually implemented whenever the person writing that burning dumpsterfire thought it was a good idea to check for that.

Code also didn't report, it just exited without error code. Users would just get a white screen if that spaghetti code "security" system got tripped.