Disclaimer: Language oriented: PHP
- It's what I know
- It's the lingua fraca of the web
- It's one of the worst offenders
- Other web languages: Ruby, Perl, Python

http://xkcd.com/327/

== Rules ==

0. Follow existing security practices
1. String is not a type:
    - Know where your strings are going (HTML, SQL, text?)
    - Know what your string contains (plaintext, wikitext, HTML, bbcode?)
    - Prefer to handle a "pure" version of the string internally
    - Prefer safe APIs (prepared SQL statements, multiarg exec, dombuilders)
      over escaping functions
2. String escaping/filtering functions are crypto.
   (Use them but don't roll your own.) (Don't Repeat Someone Else)
3. A browser sent a request. Did the user mean to send it?

This should be the basic outline of the talk.