I found this post quite educational, especially about what items in the various superglobals ($_GET, $_POST, $_SERVER, $_COOKIE, $_SESSION) are tainted. Basically, the gist is that $_GET, $_POST, and $_COOKIE are always provided from the user, and therefore have to be considered tainted. $_SESSION is stored by the server, and shouldn’t be tainted if you did your job right (i.e., you didn’t store any tainted data in the session). $_SERVER, though, is more complex, because some of the values in that array come from the web browser, despite the name of the array. Check the comments for more detail.