Joel Spolsky wrote an interesting article on ways to make coding mistakes obvious, like using semantic prefixes on variable names. If you have unfiltered data from the user, you can make the variable something like $usFoo so that you always remember that the data is unsafe, and won’t output it unfiltered (therefore preventing malicious code injection).