What do you use to *debug* PHP?
To debug PHP, you replace it with something better.
To debug code written in PHP, you use Very Careful Eyeballs, Mark II.
(Mark II are the suspicious/paranoid ones; the Mark I are the bright creative ones that were used to write the code. To switch between the two, I use Sleep in between.)
It's not just sanitizing inputs (don't forget the CGI environment variables, and things like "
../" in client-supplied URLs and paths), but making sure that whenever (temporary) files are uploaded to the server, they are not immediately accessible (published on the web tree), because that allows script drops and other nasties; and that before moving a file from that temporary storage to visible storage, it too is verified to be non-script content.
One thing that makes debugging PHP harder than other scripting languages is that while you can run the PHP interpreter from the command line,
it is not the same one used for web pages (regardless of whether you use mod_php or php-as-fastcgi); even the configuration files are different. Essentially, for PHP development, you
have to setup a (local) web server that only you can access.
At least Python uses the same interpreter (if run as CGI or fastcgi), and with a bit of fiddling, you can set up a "debug harness" that runs the scripts exactly as they would as a cgi/fastcgi script. The downside is that Python pushes hard for its own WSGI interface, which can be annoying. (And the "on Rails" part is why I haven't delved too far into Ruby, either. I want a frigging language that does not try to force its favourite web framework on me, dammit! I do my own minimal, lightweight ones, please and thank you.)
In general, if the Unix owner and group of the scripts and published files were different to the owner and group running the script interpreter, you could set up checks that no user uploaded content would ever be executed as a script, eliminating basically all script drop attacks (but still leaving JavaScript-based cross-site scripting risks). However, no web hotel (Plesk, CPanel, etc.) currently provides more than one account for a web site; you need a virtual server to do even such trivial security enhancement. And this applies to all scripting languages, not just PHP. The reason so many developers do not want this, is that it also means the code cannot upgrade itself anymore either, the user (or automated facility on the host) has to do it from the owner account instead. Oh, the horror.