[tehbeard]

> PHP is the only lasting language where making code that allows SQL injection is easier than code that forbids it.

Pretty sure this is true for any language, the key difference is education. When learning JDBC for example, you're taught to use prepared statements with params vs. string concatenation.

[jjuhl]

It's not just about education. PHP encourages bad practice. The language is implemented by people who haven't learned from the past 30 years of language design. It's made available to beginners and presented as "easy" when dealing with all the gotcha's is everything but. Etc. Sure, you can learn how it works and a competent person could probably write safe code with it (given enough time). But it's really a dangerous language, the use of which should be discouraged. Better alternatives exist.

[ircmaxell]

Heck, a very popular Java book (Android programming specifically) has examples of database queries using concatenation (and hence SQLi).