Inconsistency, very prone to security mistakes, poor type system, and some people just find its syntax "ugly." For example lots of folks hate $strings and $_WTF['bbq'] type syntax. Perl is another language whose syntax draws a lot of haters.
I'd say the second problem is the most objectively bad. It is very easy to write PHP code that exposes you to all kinds of known exploit classes like SQL injection, command injection, cross-site scripting, etc. The language seems to encourage poor practices like building query strings directly from remote input without the use of a true query builder.
PHP also has a problem that it shares with JavaScript and to a lesser extent Java -- the quality of the user base and user-contributed code is often very poor. If you look for PHP code on StackOverflow or Reddit or similar sites, you are likely to get something that is horribly wrong, comically inefficient, or whose use will immediately introduce a dangerous remote security vulnerability. This comes from the simple fact that it's often a beginner language, so you have a lot of inexperienced people participating in forums and contributing sample code.
>The language seems to encourage poor practices like building query strings directly from remote input without the use of a true query builder.
I won't entirely disagree with you on this, because there is still a ton of that code out there, but PHP has had true 'query builders' for a while now, and the mysql_ functions are being deprecated anyway.
It has them, but so many people don't use them. It's partly an issue with the language and partly with the community.
One thing I learned from NodeJS is that the quality of the community around a language can matter more than the language. JavaScript is a crap language, but the NodeJS community and the base of available modules is just so good that it makes up for a lot of the language's faults. When I tried it out I thought "who says you can't polish a turd?" I mean... Joyent and Node's community have buffed that thing down to gleaming crystal.
In counterpoint -- Java's actually a pretty good language, but its community's addiction to criminal overengineering is a big reason it hasn't been "sexy" in some time.
There are a ton of features in modern PHP which address a lot of the common criticisms brought against it. Doing a proper comparison with other languages (framework to framework, not framework to language) I think PHP measures up reasonably well.
But there is so much terrible, legacy code out there. The evolution, if it's happening is happening very slowly.
I think that the fact it has taken this long to even deprecate, let alone remove, utter garbage like these functions is a prime example of why PHP is often reviled.
It almost makes you wonder if the point isn't to keep catering to bad programmers' whims just to keep from losing the 50% of PHP's community that would never be able to write software at all if they weren't working in a language that enabled them to ignore every best practice from the past 20 years.
I'd say the second problem is the most objectively bad. It is very easy to write PHP code that exposes you to all kinds of known exploit classes like SQL injection, command injection, cross-site scripting, etc. The language seems to encourage poor practices like building query strings directly from remote input without the use of a true query builder.
PHP also has a problem that it shares with JavaScript and to a lesser extent Java -- the quality of the user base and user-contributed code is often very poor. If you look for PHP code on StackOverflow or Reddit or similar sites, you are likely to get something that is horribly wrong, comically inefficient, or whose use will immediately introduce a dangerous remote security vulnerability. This comes from the simple fact that it's often a beginner language, so you have a lot of inexperienced people participating in forums and contributing sample code.