Rivet wrote:What I want to do is limit text input to my form to basic Plain Text.
Define "basic Plain Text". For example, maybe to you that means "alphanumeric characters and whitespace". Then you can write a regex pattern to match that. This way, you can choose to either check that the input validates according to your regex pattern, e.g., by using [man]preg_match[/man] and checking that the pattern is matched from the start to the end. If not, you get the user to change the input. Or, you can remove parts of the input that does not match the pattern, e.g., by negating the pattern and using [man]preg_replace[/man] to replace with an empty string.
Rivet wrote:I want to eliminate any tags, hex digits, etc. and insure the best I can that I simply get printable, expected results as it's rather difficult to imagine the various ways it may fail during an attack or cross-site, whatever.
Yeah, that's why I suggest that you define "basic Plain Text", i.e., come up with a whitelist of what you want to accept rather than trying to come up with a blacklist of what you want to reject.
You should still use htmlspecialchars or htmlentities when printing the text to some HTML page though, just like how you should still prevent SQL inject if you are going to store the text in a relational database. This ensures that even if the whitelist changes, your code will remain secure.