Filter ALL foreign data Let PHP help - htmlentities(), strip_tags(), utf8_decode(), etc. Don't try to guess bad tags - only allow safe ones The bad guys are very creative - you must be, too!