On further thought, I'm unclear on how what you describe is not the same thing as what I suggested.

OK, so , in concrete terms, I believe that what you're saying is that on the user side you name an input form element "xyz". In your application, you're going to run the input value through some regex's to strip dangerous characters. And then on the database side, you're going to write the cleaned value to my_table.column_foo. Yes?

Then how is that different (other than leaving out the regex cleaner step for simplicity) from scrambling column_foo into 'xyz' and outputting an html form element of that name, then unscrambling 'xyz' into "column_foo" and writing the cleaned value to it?