In Ben Ramsey's latest post today, he talks about filtering user input and some of the wealth of discussions that have come up about it on the php-general mailing list.

Richard Lynch even tossed out a few of his ideas concerning the use of a $_CLEAN superglobal variable that would merely serve as a reminder to programmers (through its constant use in the PHP manual) to filter input as a "best practice" (see here and here). Furthermore, on Chris Shiflett's blog, Richard comments that "[s]urely our base solution for minimal Security should be a fundamental part of the PHP language, not some add-on second thought."

I tend to agree with Richard, and that's why I've been paying attention to the PECL Input Filter extension.

Ben starts from the beginning, talking about the Input Filter's roots (from Derick and Rasmus), and Richard's point about security tools being a "fundamental part of the PHP language". He gives an example of a form and how an integrated PHP extension might look to handle the filtering, and his personal opinion on the matter:

It should be noted that it is just as easy to filter input without these built-in functions, but, perhaps, with the inclusion of these functions, it will encourage others to start properly filtering data.