This is not a PHP thing, but a bad-developer thing.
I guess you didn't read past my first paragraph? Please do.
You can write the same crap in Java,
.NET, Python or any language you want.
Go and search the web for tutorials in those languages. You will find that the situation is vastly better with these languages compared with PHP.
That's not PHP's fault.
It is - on many fronts.
Firstly, the language promoted for many, many years, a confusion between the various layers of the application. The whole magic quotes nonsense was an attempt to fix a problem relating to the database layer in the HTTP layer. This confused PHP developers for over a decade, and even though it has since been removed, it was in there for so long that an entire generation of PHP developers had their brains twisted out of shape with this confusion.
Secondly, the official documentation was super bad for years. Security vulnerabilities in the official tutorial for years, for example.
Thirdly, the API design is so bad it practically pushes unsuspecting developers into the wrong solution. addslashes()? No, use mysql_escape_string(). Oh wait, wasn't that mysql_real_escape_string()? Or perhaps mysql_really_really_i_promise_to_do_it_right_this_time_escape_string()?
Finally, the PHP community right from the very top embraces shitty practices, like ignoring failing tests in a release build. Again, a source of security vulnerabilities that simply doesn't need to happen.
Yes, you can write bad code in any language. But that doesn't mean that all languages are equal. PHP is far, far worse at this than its contemporaries and you shouldn't make excuses for it.