[closeparen]

>you never, ever, trust anything the client sends.

The author likely wrote code that correctly validates "for all security questions a correct answer is given" and just forgot about the part where "for-all propositions are trivially true of the empty set."

It's easy to read a for loop for what it's intended as - a loop - and not think about "what if we never enter it at all?"

[geocar]

If we think well, we need to have loops, we might be feeling despair right now, however array languages don't need loops! I can write:

    min test each args

and I can do the same in JavaScript, it's just uglier:

    args.map(test).reduce(function(x,y){return Math.min(x,y)})

Writing in a functional style makes this kind of programming slightly less onerous, but it still feels strange in languages that are a bad fit.