Indeed. The rules are simple:

- Unescape, sanitize or validate at all entry points.

- Escape all outputs (this includes the database queries).

If you follow those simple rules, you never have to check once you are past a controller. And you should fuzz your controllers to make sure no unexpected data makes it past there.

Thing about taking a job is they don’t generally let you look at the code first and nope out if it’s fucked six ways to Sunday.

Everyone has clever answers for greenfield projects and empty rhetoric for brown.