I'm reading Chris Shiflett's Essential PHP Security. He suggests making sure all input is filtered by putting it in an array called $clean after it's filtered. This is a way to make sure you don't forget to filter any input, so that only filtered data enters the bowels of the application.
I like the idea, but it collides with common practice among the us object bigots in the PHP world, which is having a Request class, instantiating it and passing it around.
I can think of several ways to accomplish something similar with a Request object. One is something along the lines of Marco Tabini's trick of wrapping $_GET and $_POST Filter object, using ArrayAccess which allows them to be used as objects while still looking superficially like the original arrays.
My problem with this is not the clever ArrayAccess trick, but the fact that it's based on using different methods (html(), email(), etc.) to get at the contents of the request depending on what you want to do with it. It's simple, but what I would prefer is to be able to create a validator that contains a set of validation rules for each variable in the request, and let that take care of the filtering:
