At the last PHP user group meeting, I talked a bit about the safe way to inject data into HTML and SQL. I followed up the talk with some examples and some organized thoughts on the matter.

Here's that article.