I think what makes this hard for folks is tracking what the expected form of data is at each step of its lifecycle, especially considering people working with new and unfamiliar codebases or splitting focus on multiple projects.
There are some frameworks that try using types to solve the problem. Alternatively, the developers could throw in a comment that looks something like:
// client == submits raw data ==> web_server == inserts raw data (param. sql stmt) ==> db_server ==> returns query with raw data ==> our_function == returns html-escaped data ==> client
There are some frameworks that try using types to solve the problem. Alternatively, the developers could throw in a comment that looks something like:
// client == submits raw data ==> web_server == inserts raw data (param. sql stmt) ==> db_server ==> returns query with raw data ==> our_function == returns html-escaped data ==> client