That’s not completely true. There has been a PHP vulnerability recently discovered that enables people to run remote code from the query string on PHP installations running in CGI mode or mod_cgid (not FastCGI). The logs you’re currently seeing is a user trying to exploit that very vulnerability. Check to see how PHP is running on your system to know if you’re vulnerable. Alternatively, you can also go to /index.php?-s and see if the source to your PHP code is displayed. If it is, you’re vulnerable.
If you’re affected, there are many ways to protect against it. I’m not sure if PHP has released a “working” patch yet as I haven’t been following it (I’m not affected), but I’m sure you can find out on PHP’s website.