I'm always sort of flabbergasted when I see PHP programmers doing this "maybe_xyz" stuff. I recall there's a PHP api for escaping stuff that has weird options for either allowing "double escaping" or ignoring successive invocations. It screams amateur hour to say "uh, i have a string, and I don't know if it's escaped yet, so I'll just call this API that escapes it because it magically avoids 'double escaping' for me." There's no such thing as "double escaping" -- it's just "escaping". The fact that you might be escaping something that appears to be an already-escaped string is irrelevant. If you are dealing with user input strings and you don't know for sure whether a string is escaped or not (or how many times), you are probably writing a security hole somewhere.
Fair enough. It's funny how angry I get when I think of someone needing an "escape_once" function or "is_serialized". I think this discussion might have to become part of my interview process, because if someone doesn't understand the absolute undeniable terribleness of trying to determine if a string has been escaped or serialized by inspecting its contents, then I really don't want them in my code.
