PHP has been known to provide convenient footguns in the past (e.g. register_globals, mercifully depreciated), so it's not surprising that security-minded people give it a hard time.

Think of it as the difference between the language keeping loaded footguns under its pillow with the safety off and keeping unloaded footguns in a locked gun safe. One is a lot less likely to get used than the other, even if either one will shoot your foot just as well.

Rehashing old design floors is not an excuse to blame PHP for programmer error.

It doesn't seem fair to call a defect "old" if it wasn't seriously addressed between then and now. I had to pick up PHP (presumably because of heinous sins in a past life) and every tutorial I saw was still pasting user input into non-parameterized queries. There are apparently several different MySQL clients, and our production boxes still had the original (inexplicably still in existence) which didn't even support parameterized queries. And that was in 2007!

Just hit the same issue here in 2011. Plesk, a popular package for managing shared hosting used by hosting companies, doesn't include the MySQL drivers for PDO (what's meant to be PHP's "standard" database library).

Last week I had to rewrite an import script to use mysql_query(), with mysql_real_escape_string() and quotes for every query variable.

In a language like Ocaml or Haskell a SQL library can make it impossible to query the DB with unsanitized queries.