I prefer not to even construct any SQL on a client if I can possibly do so. I find it much better to have only stored procedures as the visible interface of a database server, meaning no internal structures of the database are visible to the outside world
I'm usually happier when rdbms don't support stored procedures at all - not for nothing but what you're saying for most software is all sorts of doing it wrong for a list of reasons it'd take way too long to list.
Just to be clear nothing happening here is the fault of PHP. With only minimal competence the average 8 year old should be capable of writing code that's impossible to SQL inject. The end.