Cups, your post sent me off in two directions, both possibly useful.
Both possibly red herrings of course
...modifying the contents of $_POST in my scripts.
When I thought of doing that, I saw that it was a simple way to solve a problem that would otherwise require a lot of work, so I didn't wonder whether it was good practice. I just tried it, and it worked, so I did it. Maybe I shouldn't have. Do you know, does anyone here know anything about that?
There have been past discussions here about meddling with globals like the $POST array, and I think most impressions were it is seen as a Bad Thing, mostly because you cannot guarantee every $POST var has actually passed through your "cleansing gateway" - if that is indeed what you had done.
I have to say that many of those discussions went hand in hand with people incorrectly "pre-escaping" data which was likely headed for a database, and that the escaping mechanisms chosen were usually the wrong ones in any case.
In these days of PDO and prepared statements all it does is add a level of complexity which serves to only trick oneself.
I know only too well this is true, because I thought it was a good idea once, and it took years to eradicate its effect from some old code-bases.