[gregjor]

None of these are true of modern PHP, which is fairly old by now. It’s possible to write bad and insecure code in PHP, but that’s true of every web-oriented language and framework.

PHP in production runs behind Apache or Nginx, so directory traversal and similar attacks should get stopped there. In 20 years of working on PHP code I have never seen this particular vulnerability, though I can imagine how it might happen.

PHP has a bad reputation mainly because inexperienced programmers and even non-programmers choose it as the path of least resistance. Python code suffers from the same problem, though Python is not nearly as popular for developing web sites as PHP.