Failure to validate user input adequately—or even at all—is one of the main reasons that PHP is sometimes seen as having weak security. Part of the blame lies with the image PHP has often promoted of itself as being "easy to learn." Books and tutorials aimed at beginners often concentrate on the bare essentials of gathering input from an online form and sending it by email. As a result, inexperienced users find their web sites subject to malicious attacks from SQL injection or email header injection.

The problem with validation is that it's a tedious process, usually involving a lengthy series of ...