If this were a map, say in Python, then the programmer would have to supply the value $i (or in Python, just i) with an ++$i (or in Python i+=1). This can be done in PHP too, so there is no disadvantage to what PHP supports. The problem here is that the programmer is putting dynamic code in the SQL query without sanitizing it first. So what if it is supposed to be variables that are not supposed to be affected by the user? The first rule of preventing SQL injection is to use ZERO outside string variables, even those ostensibly created by your own code. If the data _or metadata_ (i.e. array keys) came in through a function argument, then it is NOT CLEAN.
Of course, the "natural way" to write code is often riddled with buffer overflows, SQL injection, and other naive security issues. This is why you hire a programmer with experience, just as with any other profession. There is no end to the problems with PHP, but this particular bug is not one of them.