I feel like this is more of a role for a framework built on top of PHP than for a language like PHP itself. PHP itself is pretty low-level. How would you suggest providing better protection against these?
In the past, of course, PHP did have magic_quotes, which was a misguided attempt at mitigating SQL injections. This has since been removed, and there's been a big push in the direction of using prepared statements/parameterized queries through a library like PDO, which I think was introduced in PHP 5.
Agreed, about that this is the role of a framework and this is in many ways what is wrong about PHP. It tries to be both language and a framework with its built in templating. But templating which does not include simple to use support for escaping HTML is a really dangerous tool in the hands of a beginner.
So was the (I believe now deprecated) mysql library they shipped and the tempting ease of string interpolation.
In the past, of course, PHP did have magic_quotes, which was a misguided attempt at mitigating SQL injections. This has since been removed, and there's been a big push in the direction of using prepared statements/parameterized queries through a library like PDO, which I think was introduced in PHP 5.