A php script is executed on a server.. Which the client browser knows nothing of.. What if the script is malicious?

You would need to use a combination of things in order to affect the client side of it, because as you said, the script is executed on the server, not your computer. However, that doesn't mean you can't use server-side script to have JavaScript do something particular on the client end, or even use JavaScript in general to do whatever you're wanting them to do. For example, I could have the JavaScript send a request to the server via PHP and have it download malicious stuff onto your computer. That's just one of many examples of how I could use it against you. However, this is why it's very important when you're online to be cautious of the websites you go to. There are many websites like that, and it's up to you to exercise discernment with the websites you frequent. On the flip side of things, you want to protect your scripts and make sure it doesn't allow certain input to them. For example, if you don't protect the inputs that send information to your database, I could easily inject my own code into your database and cause harm to it .

Bravo!!!!!