Does anyone know what kind of filtering at the application level would prevent this? I want my app to be secure even on older versions of php.
Upgrade to the latest stable version of PHP (security fix was included in 5.2.0). If this cannot be done, it appears the problem requires the use of multi-byte characters, so you could use [man]mb_convert_encoding/man to convert any user-input text to a single-byte character set.
