[gozo]

"Did they implement defenses against common web vulnerabilities like SQL injection?"

Prepared statements has been available with PDO since 2005. It might very well have had bugs, but that isn't uncommon.

[reality_czech]

Yes, it's possible to write secure code in PHP. Just more difficult than in other languages because you are fighting against the design of the language.