Understood, but at what level is input checked? Traditionally, I always used the parameter feature of database drivers, which is a good way to prevent injection. I believe the best place to check for sql injection is at the db api level. Also, the field validators, FormEncode, act as another barrier.
The reason I'm focusing on building forms from the data objects is the "Don't Repeat Yourself" principle. It's better to define logic or data only once in your application. I've been writing web apps long enough to become sick of defining a database field as NOT NULL, wiriting server side logic to enforce NOT NULL, then writing javascript to check a field is NOT NULL. After seeing this pattern too frequently, it's time for something better.
