• Input is everything that comes as part of the http request
• Some data does not seem to be input, but may contain data originating from the user, thus must be considered as input (ex: session data that was originally supplied by the user)
Character Set
• Risk
attack vectors may employ a non-standard char set (ex: utf-8 encoded) that may be missed by filtering, but executed by the browser
• counter
Use the same char set for filtering as the target procedure
convert charsets prior to filtering content-type: text/html; charset=”utf-8″
use php’s filter extension
use filters native to the database (ex: db quoting functions)