Lots of languages have easy string interpolation, and don't do anything to prevent that being used around sql statements. I'm not sure why php is being called out in this particular case. Sure, it has warts, but in this specific area, it's no better or worse than most languages. It supports bind variables and the documentation pushes you that way.