[marcosdumay]

Not the language?

PHP is the only lasting language where making code that allows SQL injection is easier than code that forbids it.

PHP includes all the worst practices you'll find on any languages. Javascript has the eval problem - PHP has it too; Perl have the too fluid type system where you can't specify anything - PHP too, except that it lacks Perl's tainted mode; Asp made it easier to create code subject to XSS than code that isn't and is subject to directory traversal - guess what, PHP copied it... and the list goes on and on.

This release fixes still some more problems, but PHP will never become a good language.

[tehbeard]

> PHP is the only lasting language where making code that allows SQL injection is easier than code that forbids it.

Pretty sure this is true for any language, the key difference is education. When learning JDBC for example, you're taught to use prepared statements with params vs. string concatenation.

[jjuhl]

It's not just about education. PHP encourages bad practice. The language is implemented by people who haven't learned from the past 30 years of language design. It's made available to beginners and presented as "easy" when dealing with all the gotcha's is everything but. Etc. Sure, you can learn how it works and a competent person could probably write safe code with it (given enough time). But it's really a dangerous language, the use of which should be discouraged. Better alternatives exist.

[ircmaxell]

Heck, a very popular Java book (Android programming specifically) has examples of database queries using concatenation (and hence SQLi).