It would seem kind of stupid if they were smart enough to implement validation but not smart enough to limit user access to it. Of course there's no accounting for the depths of stupidity.
That would actually not surprise me at all. There are a lot of Web devs who can make a site that renders in the browser and mostly works, but can't wrap their minds around the difference between server-side code and client-side. Browse through the JavaScript tag on Stack Overflow and you'll come across more than you can shake a stick at. Many people (either due to willful ignorance or a sad gap in their education) write functions like:
function getTime() {
<?php return time(); ?>
}
It's not at all improbable that somebody told them their site was vulnerable to SQL injection, so they took a brief glance at the Wikipedia page and said, "I know, I'll just stop people from writing this stuff." So they open up the page where people might be entering the malicious text and write some code that will stop them. They run it in their browser and it works — none of their SQL strings make it through. They have now fixed the problem, as far as they are concerned, and the site owner doesn't know enough to tell them how utterly braindead their approach is.
That wouldn't be a good reason for writing that code. Putting it in a function like that suggests that you expect the value to change. It's like the xkcd joke where a random() function is implemented to return 4, as determined by a fair dice roll. If you just wanted to store the time the page was generated, it would make more sense to use a constant — for example:
window.pageBirthday = <?php echo time(); ?>
Also, if they're on Stack Overflow asking why it doesn't correctly report the current time, that's a pretty good indicator that they're simply mistaken.
