This feels a lot like trying to sanitize database inputs instead of using prepared statements.