Is this really the right question in the first place? In terms of programming then Ruby is a much nicer language to use with all its dynamic OO features, but in terms of security its more about how you structure your code, not the language you use. Generally its not the language you use, its what you do with it.

A better question to ask is which is better for developing web applications, Ruby and Rails or PHP? The answer is that it’s a lot easier to be secure with Rails with things like ActiveRecord. PHP has traditionally not had sanity checking for things like SQL injection and it’s been a manual process.

There are extensions that you can use to mitigate the problem, but PHP is a language and framework in itself intended for server-side web development. Afterall, it originally stood for Personal Home Page. Like Perl and ASP, it was designed to get things running as fast as possible with little consideration of the consequences and little understanding of potential problems. I suppose you could say it needed to happen before other languages and frameworks like Rails/Zope/Django etc. came along. There’s a lot of manual hacking to cover security issues with PHP and deployment like running it as a CGI binary rather than using mod_php as well as sanity checking. It’s only now that taint checking is coming in: http://wiki.php.net/rfc/taint

Given a ‘from scratch’ choice with no legacy baggage then there are better things you can use than PHP, lets’ put it that way, with Ruby on Rails being one of them.