Is PHP still unhelpful when it comes to writing secure code?
I remember when escaping SQL input data was "the correct way" to use your mysql database. Parametrization? Nah, just use mysql_escape_string or whatever it was called.
php has kept around a lot of functionality that can be misused, but PDO has had parameterization since forever and is the go to method if you want to connect to a database. Beyond that though, most PHP projects at this point are likely using a query builder/orm like eloquent.
So I guess it depends on what you mean by unhelpful. PHP as a language makes it pretty easy to do bad stuff. PHP as a community makes it easy to Do The Right Thing.
Prepared statements have been available in PHP for over 20 years, when it deprecated the old mysql libraries. They were removed entirely in PHP 7.
And let's be real - most handwritten SQL code in existence in most languages just builds queries from concatenated strings, even when more secure options exist. A lot of code doesn't even bother to escape anything. That's not a language problem so much as a developer laziness and assumption that "simplicity always equals correctness and frameworks are always wrong" problem.
I remember when escaping SQL input data was "the correct way" to use your mysql database. Parametrization? Nah, just use mysql_escape_string or whatever it was called.