• Input is everything that comes as part of the http request

• Some data does not seem to be input, but may contain data originating from the user, thus must be considered as input (ex: session data that was originally supplied by the user)

Character Set

• Risk

 attack vectors may employ a non-standard char set (ex: utf-8 encoded) that may be missed by filtering, but executed by the browser

• counter

 Use the same char set for filtering as the target procedure

 convert charsets prior to filtering content-type: text/html; charset=”utf-8″

 use php’s filter extension

 use filters native to the database (ex: db quoting functions)