Filter ALL foreign data Let PHP help - htmlentities(), strip_tags(), utf8_decode(), etc. Only allow safe content - don't try to guess the bad Use a strict naming convention - help identify what data has been filtered The bad guys are very creative - you must be, too!