So, a secure application always has to validate values from client side originated variables, independently if the values were retrieved from $_GET, $_POST, $_COOKIE or $_REQUEST .
You should always validate ALL external variables. As for server side originated variables, these do not need to be
validated if you get them from $_SESSION, $_SERVER and $_ENV .
THIS IS NOT TRUE. Some $_SERVER variables can be influenced by the client ( eg $_SERVER['PATH_INFO'], being one example) (same for $_ENV) $_SESSION validation is equally important, but slightly different. You need to make sure ( for example ) that your sessions aren't being hijacked.
