[yupyupyups]

Is PHP still unhelpful when it comes to writing secure code?

I remember when escaping SQL input data was "the correct way" to use your mysql database. Parametrization? Nah, just use mysql_escape_string or whatever it was called.

[Octoth0rpe]

php has kept around a lot of functionality that can be misused, but PDO has had parameterization since forever and is the go to method if you want to connect to a database. Beyond that though, most PHP projects at this point are likely using a query builder/orm like eloquent.

So I guess it depends on what you mean by unhelpful. PHP as a language makes it pretty easy to do bad stuff. PHP as a community makes it easy to Do The Right Thing.

[krapp]

Prepared statements have been available in PHP for over 20 years, when it deprecated the old mysql libraries. They were removed entirely in PHP 7.

And let's be real - most handwritten SQL code in existence in most languages just builds queries from concatenated strings, even when more secure options exist. A lot of code doesn't even bother to escape anything. That's not a language problem so much as a developer laziness and assumption that "simplicity always equals correctness and frameworks are always wrong" problem.

[amiga-workbench]

You use PDO and prepared statements. Although realistically, you are going to be using a framework and some kind of Active Record pattern.

[g105b]

SQL named parameters was a feature introduced into PHP on 24th Nov 2005, with the release of PHP 5.1.0.

[Ayesh]

the MySQL extension was dropped in PHP 7.0.