http://www.ssbits.com/home/ http://www.ssbits.com/snippets/2010/securing-your-site/#PageComment_297 @hamish: Yes, that's a nice convention, but personally I don't like holding variables I'm not going to use. So if the raw var is solely used to be converted to a safe var, then I dont keep it. @greg: This graphic isn't mine or SSBits'. Its a very well known comic from XKCD: http://xkcd.com/327/ (which really should be credited), so here is the credit! RSSName http://www.ssbits.com/snippets/2010/securing-your-site/#PageComment_297 http://www.ssbits.com/snippets/2010/securing-your-site/#PageComment_296 Hey, I found this graphic being used on a related article on Smashing Magazine. Check it out @ http://www.smashingmagazine.com/2011/01/11/keeping-web-users-safe-by-sanitizing-input-data/ RSSName http://www.ssbits.com/snippets/2010/securing-your-site/#PageComment_296 http://www.ssbits.com/snippets/2010/securing-your-site/#PageComment_93 A handy convention - from the SilverStripe core and elsewhere - suffix variables that you might use for database lookups with with "_RAW" (pre-converted) or "_SQL" (SQL safe) to remind you what is safe to use and what isn't. Eg: $id_RAW = Director::urlParam('ID'); $id_SQL = Convert::raw2sql($id_RAW); Casting to an expected data type can be a convenient short cut. Ie, this is a convenient short cut for getting objects by ID (since an ID of zero will never find an object): $obj = DataObject::get_by_id("SomeObject", (int)Director::urlParam('ID')); RSSName http://www.ssbits.com/snippets/2010/securing-your-site/#PageComment_93