https://eev.ee/blog/2012/04/09/php-a-fractal-of-bad-design/
Until a few days ago, I hadn't touched PHP for nearly 10 years. I was surprised to see so many new things. There is no doubt that its ecosystem is still massive and will continue to be so for decades ahead. What I am wondering though, is whether some of the old "ghosts" plaguing the language have been removed or replaced with something better.
Anyone experienced enough to comment on that?
A lot of the insecure by default functionality and footgun functions have been deprecated or removed in the latest versions.
Most of the modern frameworks e.g Laravel et al also have abstractions that protect you around a lot of the functionality where long hanging vulnerabilities used to lie. It’s rarer to find things like XSS, SQL inj, file inclusion vulns.
Type comparison will still do crazy things if you aren’t strict, but they have introduced typed properties in php 7.4.
A double edged sword is that a lot of modern development relies on package managers like composer, which means you can be exposed to security issues through the sheer number of dependencies pulled in to some of these frameworks.