In Ben Ramsey's latest post today, he talks about filtering user input and some of the wealth of discussions that have come up about it on the php-general mailing list.
I tend to agree with Richard, and that’s why I’ve been paying attention to the PECL Input Filter extension.
Richard Lynch even tossed out a few of his ideas concerning the use of a $_CLEAN superglobal variable that would merely serve as a reminder to programmers (through its constant use in the PHP manual) to filter input as a "best practice" (see here and here). Furthermore, on Chris Shiflett's blog, Richard comments that "[s]urely our base solution for minimal Security should be a fundamental part of the PHP language, not some add-on second thought."
Ben starts from the beginning, talking about the Input Filter's roots (from Derick and Rasmus), and Richard's point about security tools being a "fundamental part of the PHP language". He gives an example of a form and how an integrated PHP extension might look to handle the filtering, and his personal opinion on the matter:
It should be noted that it is just as easy to filter input without these built-in functions, but, perhaps, with the inclusion of these functions, it will encourage others to start properly filtering data.