• Don’t rely on javascript based client side validation.
• Don’t rely on HTML based client side validation (things like the MAXLENGTH attribute on texboxes)
• Avoid XSS attacks by HTMLEncoding your data when displaying them – especially if its user-entered.
• Escape data that you will be concatenating in an SQL statement to avoid SQL injection attacks.
• When it comes to data that is your own (e.g. price of a certain item in a shopping cart app) as opposed to data entered by the user (e.g. how many items the user wished to buy) don’t rely on form based or Querystring based data as these can be changed just by using a tool like Fiddler, or just saving the HTML locally and editing it.
• Don’t rely on HTTP headers like Referer (sic) for any kind of validation.

I was hoping for somewhat more from the presentation. In fact, it would be fair to say I was quite disappointed. Almost Everything he said seemed pretty basic to me. I mean anyone other than an absolute script/html kiddie should be making any of those mistakes.
Are paid professionals actually stupid enough to make such basic mistakes that it would warrant a whole presentation just on these fundamentals? (He was saying how he’s been making several presentations on the same subject all over the place. And this was a conference arranged for professionals .. certainly not a bunch of n00bs.) Most of the audience seemed impressed. Well certainly not as unimpressed as I was.
So what’s going on?

I don’t mean to take anything away from the presenter Barry Dorrans, though.