Over on his weblog Robert Peake notes his response to Chris Shiflett's little bet posted just the other day.

Chris Shiflett has an interesting post on his blog wherein he declares that all PHP security vulnerabilities come from either a lack of flitering input or escaping output. In fact, he's betting $100 that the next 4 of 5 vulnerabilities that get reported by PHP|Arch will confirm his proclamation.

My question is: what other kind of security vulnerability exists besides one that can be exploited by input either directly or as that input later becomes output to another application (like MySQL)? Define filtering broadly enough, and there's really no way to loose.

He continues on, mentioning common thoughts about security and narrows it down stating that "security is what you do between input and output" (versus Chris' perspective of just handling the two ends, Robert suggests what's in the middle that counts...)