Hi!
I thing automatically replacing most of occurrences (I guess that all except composed ones like used in server status) should not be a problem. I volunteer to do this if we decide to make some change.
How about using constants? They cannot be injected by users, and we would just need to search + replace $strXXX with strXXX. AFAIK constants don't perform slower than variables, possibly even faster because they can be cached by ByteOP caches [at least I remember having heard that].
Using a function like Sebastian proposed (PMA_str()) would perform terribly slow, when used a couple of times within the page, since getting functions arguments, doing str_replace, calling another user space function etc. would really take up many cycles.
Regards, Garvin