Is the following code safe?
$d = new DateTime($_GET["date"]);
AFAIK there are no direct ways to use date format string for malicious purposes. However, there may be some peculiarities in different OS, so - would you add an additional check to ensure that date look exactly like yyyy-mm-dd?
I'm using both PHP5.6 & PHP7.
Yes, this code is always safe. In the worst case someone tries to send something malicious and an exception is thrown because it's not a valid date. I would wrap it in a try/catch:
try {
$date = new \DateTime($_GET["date"]);
} catch (\Exception $e) {
// Log and return a status code of 404 or similar
}