Discussions like these are often more about terminology then about the underlying principles. I think that anyone who has programmed some more agrees that you should do something with the data coming into your app, and something when data leaves your app. I prefer the terms input filtering/validation and output escaping.
Data from outside -> filter/validate -> Business logic -> escape -> HTML, DB, etc
So filtering/validating is making sure only good data comes into your app. If you want a numeric value for something, you don't want any other character. So you filter/validate with ctype_digit/is_numeric or something similar.
Escaping happens every time some data leaves your app. Wheter it is output to HTML or a db or something else. Depending on where the data goes to you use a specific escaping mechanism.
validating text input
Moderator: General Moderators