I agree with litewarez, in a way, PHP has made sure to provide encoding and escaping functions, so they are doing it, just not directly.

I don't really think it's just about giving control, PHP language, like I always say, is almost becoming a noob friendly language, which is great, means anyone can learn it fast.

If you implement the things mentioned in the article (or other methods) into functions or classes it'll definitely save you a lot of time, but first you need to make sure how to handle functions and classes, and what to add in there, this way you don't end up escaping or encoding the wrong characters, which will render the function useless.

The most common "hacks" are SQL injection and HTML injection. Never really saw much reports about system/shell injection, but thought I'd include it anyway.

I still say, for direct small inputs, regex is the man.

The other good thing about not having everything encoded automatically is if you're saving that data into a database, you don't really need to encode all characters if you code a strong script.

With direct input, it'll save you space, instead of " or & the decoded version will be inserted, if you consider a large database, that will save you a lot of bytes and bits "ie: & vs &".

It's much better than the early days, when using base_64 to encode data then store in database was a standard, which increased data by 30-40%.