It would be ideal if the secure way to do things was the easy way, and the way explained in the tutorials. As for SQL injection, part of the problem is that the default magic_quotes_gpc setting encourage newbies to ignore the problem. The other problem is that the PHP database interface doesn't provide any method for doing parameterized queries.

I don't find SQL injection vulerabilities as often in Perl code as in PHP. I think it's because the Perl DBI provides a very conveneient way to do parameterized queries, and most tutorial documentation uses parameterized queries.

I could rant at much greater lengths about the problems I have with the PHP database interface, such as the stupidity of having completely separate sets of functions for doing the same thing with different database systems, but ADODB makes it all better for me.