Although in general easy to avoid SQL-Injection and Cross-Site Scripting vulnerabilities are within the TOP 5 of web application flaws every year. The reasons are manifold. One of them could be bad application design where the security code is spread all over the place, or wrong use of validation, escaping or encoding. In the first part of this workshop you will learn the how to securely handle user input and where the handling belong in your code. In the second part we will look at several problematic code examples and evaluate which code can be secured and why some code should generally be avoided. In that part we will also cover many lesser known security problems like NULL byte injections or userialize vulnerabilities.