include $_GET[...], register_globals, magic quotes, extract($_REQUEST), weak comparisons, loose typing, eval, risky file upload defaults/patterns, preg_replace /e, dangerous deserialization gadget chains, path traversal into includes, and the whole "URLs can be file paths" abstraction...
PHP is basically "RCE-as-a-Service" as far as I'm concerned. Allowing a URL in any function that wanted a file path was an absolutely bone-headed design choice. They made `curl | php` a language feature.
Like everything it depends on your goals. As a novice developer PHP is wonderful. Everything you see as an obvious security failing is exactly what made it great to a new dev back when most of that was still allowed by default.
include $_GET[...], register_globals, magic quotes, extract($_REQUEST), weak comparisons, loose typing, eval, risky file upload defaults/patterns, preg_replace /e, dangerous deserialization gadget chains, path traversal into includes, and the whole "URLs can be file paths" abstraction...
PHP is basically "RCE-as-a-Service" as far as I'm concerned. Allowing a URL in any function that wanted a file path was an absolutely bone-headed design choice. They made `curl | php` a language feature.