This mess. ultimately, is the PHP language authors' fault. They seem to argue that securing your scripts (and not just from SQL injections) is the programmer's problem.
A properly designed SQL interface (with prepared statements and placeholders) makes writing code that's prone to injections more difficult to write than code which isn't.
In PHP, it's the other way round, and the language authors don't think that's a problem.
PHP has this...now. The old insecure way is "deprecated" which means because so many billions of lines of deployed code depend on it, it'll be forever before it gets removed.