All GET/POST form values go into %FORM into BML, but check LJ::did_post() on critical actions. GET requests can be easily spoofed, or hidden in images, etc. Never read in arbitrary amounts of input Never use unsanitized data in a command or SQL