Languages don't 'sanitise input'...
There isn't a language out there which will prevent you doing something as silly as connecting to a DB and passing it a string straight from user input. If there's anyone out there relying for their security on a choice of language, then they're not going to last very long because it is not going to help in the slightest.
Perhaps there are some IT bods out there patting themselves on the back right now because they don't use PHP and are therefore 'secure'. Perhaps people this clueless were working at Talk-talk too.