• Sanitize input variables
• Escape all variables in output
• Escaping xml/html output
• Incorrect example
• Correct example
• From JavaScript
• Escaping urls
• Incorrect example
• Correct example
• Escaping url parameters
• Incorrect example
• Correct example
• Escaping SQL output