The mere concept of a "document root" is a problem though and a major footgun if you don't know what you're doing.
Every other language acts as its own web server which wouldn't even be capable of serving files even if you tried; the only thing it does is respond to web routes defined by the application.
This eliminates a whole chunk of security issues, from the one described above to malicious file uploads (PHP is probably the only language where a malicious file upload leads to RCE by default - other languages could happily accept and serve the malicious file back but wouldn't execute it).
> The mere concept of a "document root" is a problem though and a major footgun if you don't know what you're doing.
A non issue though after 2-3 days of working with this approach. All modern PHP frameworks have a so called front controller (an index.php file) that loads what it requires from ../ after, ideally, properly validating the request to avoid issues.
Every other language acts as its own web server which wouldn't even be capable of serving files even if you tried; the only thing it does is respond to web routes defined by the application.
This eliminates a whole chunk of security issues, from the one described above to malicious file uploads (PHP is probably the only language where a malicious file upload leads to RCE by default - other languages could happily accept and serve the malicious file back but wouldn't execute it).