It's a really horrible language. No typing (although recently they tacked that on, which nothing supports), completely broken async (I tried making a discord bot, after spending days desperately attempting to get it to function, switching libraries, looking at docs, looking at raw source code, I gave up and conceded that it is simply non-functional), bizarre practices like putting underscores in method names instead of simply using keywords, absolutely the worst tooling I have ever experienced in my life that performed so badly it made me miss Java. It absolutely is the result of colleges pushing a toy language on college students who aren't experienced enough to realize that every mainstream language does everything it attempts to do far better. I tried to tolerate it and found myself wishing that I'd rather be pulling my fingernails out.

It does have some nice things though. I like that it has a logger built-in.

If anyone starts a PHP project these days they'll use a framework. If they just use the standard form functions in those then SQL injection won't be an issue. And even if they're not using a framework preventing SQL injection isn't hard.

This goes for pretty much all interpreted languages.

You could argue the exact same thing with C and all the memory injection and corruption shenanigans over the decades.

The language has absolutely nothing to do with SQL injection. Bad code does. You can interpolate strings on every language and become vulnerable in the exact same way.

You have no idea where SQL injection vulnerability comes from. It has nothing to do with the language's type system, but string interpolation and concatenation of input into queries instead of using prepared statements.

LOL. Sure, I have no idea. I was just a maintainer of one of the biggest data base systems on the planet. (PBs of data, SQL and non-SQL access, millions of queries per second).

The string interpolation issues and concatenation into queries has all to do with weak type system. With proper typing system and proper use of it in the SQL client library, can be 100% eliminated. Sure, you can avoid issues by being careful, but there are actually ways to make certain you don't have these issues in the first place.

They can be eliminated by using the proper (native) tools instead of writing code like a monkey trying to reproduce Shakespeare. Being an incompetent programmer is not an excuse for blaming the shortcomings of a language.

PHP design wise is probably the worst language you can think of. Its only used by services that were originally written in PHP 20 years and are now too big to migrate (ergo facebook) or developing countries because they are often behind the times.

5 minutes of googling will show you how terrible the language is, even the creator admitted he wasn't serious when making it.

Actually you are also kinda half wrong, if your language has an expressive enough type system (and/or macros) you can prevent SQL injection even without prepared statements, i.e. have a look at https://github.com/getquill/quill

Of course you should be using prepared statements when possible (for performance reasons) however in a lot of cases its not possible, i.e. its not possible (in most SQL servers I am aware of) to make a prepared statement that uses the ordering direction as a variable (i.e. ORDER BY ASC)

PHP indeed suffers the legacy of its modest birth, being invented by a guy who just wanted to have a dynamic site with C-like API function calls to create it manually, not something "philosophically" inspired like Rust, Python or Erlang, which have been designed with some goals in mind.

Currently it suffers a lot of idiosyncrasies that are left in the language for compatibility and sometimes new horrors are still thrown in but (I think of DateTimeImmutable), if you are an experienced PHP developer, you can walk around the idiosyncrasies and produce very good and fast code even with PHP. It has been enriched by a lot of modern languages features, like proper class model, generators, variadic arguments, type hinting (although weak type hinting is used by default), etc... etc.. and now it is a JIT interpreter too.

One of the bad things is the lack of proper documentation, especially when dealing with non-core libraries that mostly look like wrapper glue around the C libraries (think of imagick, for example), but indeed is a very very comfy templating language, which makes it ideal for web.

The fact that has a very light learning curve attracts lot's of people without experience, and that's why you see tons of bad PHP code around, but the core language itself has nothing to be really blamed, although it requires to be tidied up a lot yet.

Uhm... it looks like you don't like PHP, don't like Python, don't like even Java... I may guess that you don't like being a programmer...!

I'm not a fan of Python and indeed when I started working with I criticized it a lot, then found myself quite acquainted with it. The problem was not the language, but my expectations from the language. It treated it as a java-like language, and every time I worked with was a cold shower. Then realized that the strong points of the language are on the opposite site of Java (duck typing, on top of all), started following the "flow" of the language instead of forcing it and now I'm quite fluent and happy with Python (as I am fluent and happy with PHP or C/C++).

It has horrible things like the GIL that makes multithreading very limited and it is incredibly slow, but this is not a language problem but instead interpreter issues.

I mean, does anyone?