Section
4.2.3
General
Validate all input and output at major system boundaries, such as between application and database, application and external service, etc.
PHP

In addition to $_GET and $_POST, treat $_SERVER and $_COOKIE arrays and remote file contents as tainted data.

For critical applications $_SESSION may also be classed as tainted data.

Never use the $_REQUEST super-global array. It can conflate GET and POSTdata.

Turn register_globals off. It can create problems with pre-populated variables.