PHP tags in URL

So I made a landing page for all these forms that the marketing department at my work makes. One of the fields they pass is a URL that I redirect to after I'm done processing - a thank you page.

Recently, I discovered a URL that looked like this:

http://www.oursite.com/folder/thank-you.php?thankyou=free-guide&amp;adgroup=<?php echo nfpa-c ?>&amp;reference=<?php echo  ?>

Does this amount to anything but the form creator being dumb? My page is throwing huge errors about security and cross-site scripting, etc. What are the implications of this? Is there any legitimate reason to do this?

EDIT/UPDATE: My landing开发者_如何学C page is in ASP.NET. The error it mentions is possible cross-site scripting.

<?php echo nfpa-c ?

I don't think it's the poster being dumb - this looks more like an outgoing form was not setup properly (e.g. PHP instructions used in a .html page that doesn't get parsed by the PHP interpreter.)

Check out the originating forms and look into their source code.

There is no legitimate reason to pass PHP code on the url like this. In fact it would be a Remote Code Execution Vulnerability, which is as bad as it gets its like like saying "Check Mate". I would make sure that that you don't have this code running, although its likely a bug because in php they would use eval("echo 'nfpa-c'");, you can't eval php tags like that, so its probably untested code.