No, unlike PHP, PHP.reboot is secure by default.
That's why PHP.reboot use DSLs, because it enables the runtime to know the context thus sanitize the inputs by itself.
As for "Secure by default". PHP can be perfectly secure. PDO supports parameterised queries, and was first available in PHP 5.1, which shipped just short of SIX YEARS AGO. Even mysqli supports parameterised queries, and that shipped more than SEVEN YEARS AGO.
If you're using the ancient mysql extension (i.e. the mysql* functions) that is YOUR FAULT, not the fault of the language.
Rémi