Section
4.2.3
Top Level
Sub Level
General
Validate all input and output at major system boundaries, such as between application and database, application and external service, etc.
PHP
In addition to $_GET and $_POST, treat $_SERVER and $_COOKIE arrays and remote file contents as tainted data.
For critical applications $_SESSION may also be classed as tainted data.
Never use the $_REQUEST super-global array. It can conflate GET and POSTdata.
Turn register_globals off. It can create problems with pre-populated variables.