[smsm42]

You sound like PHP is somehow particularly bad in this regard. While this issue is nothing to be proud of, same kind of issues (and other RCE-causing issues too) are regularly found in many major products and libraries. There's no reason to specifically shame PHP for something that happens everywhere. Good defense is depth practices are always good idea, but no need to motivate it by casting PHP as some kind of particularly villainous.

[gsmith2]

App security is still not on a par with other language ecosystems.. I don't think for example I've heard of a Python based SQL injection in many years. Stuff like that seems to still crop up regularly in PHP land

[smsm42]

Now you are confusing security of PHP as a platform with security of applications written in PHP. Python had 2 RCEs in 2018: https://www.cvedetails.com/vulnerability-list/vendor_id-1021... None in 2019 so far. PHP has none in 2018 and has one in 2019 so far (there's another one in http module but it's not part of the core).

> I don't think for example I've heard of a Python based SQL injection in many years. Stuff like that seems to still crop up regularly in PHP land

This is an extremely subjective statement based on your personal experience of what you heard and didn't. As such, it's not verifiable and not useful. What is useful is to know that, obviously, PHP, as well as Python, has SQL implementations that eliminate injections for decades. And as in Python, there could be people that ignore it and stuff query params directly into strings. This has nothing to do with anything but these people being ignorant. There are of course tons of web apps in PHP, much more than in Python, so among them inevitably would be crappy ones. If you run one of them, do take precautionary measures.

[gsmith2]

> Now you are confusing security of PHP as a platform with security of applications

The parent comment explicitly made this distinction