A reasonable approach is to first validate all requests before performing any other processing. Such checks can include:

• check for requests whose overall size is unreasonably large (some attacks send requests with large payloads, in an attempt to overload the server)
• check for unknown parameter names
• "sanity checks" for unreasonable parameter values, not expected during normal operation (for example, text of unreasonably large size, or a checkbox taking an unexpected value)

• complete - for example, items presented to the user in a static drop down list, under normal operation, will take only the values defined by the web application. Any other value constitutes an invalid request (almost always a hack) which may be given a short, unpolished response, perhaps in static HTML.
• partial - for example, a free form text area can be checked for size, but not for detailed content. As a second example, a business identifer can be checked for textual form, but validating it against the datastore is not appropriate at this early stage in processing

• first, validate the input can indeed build an Integer. This validation might be performed on the application's behalf by a framework which defines reasonable policies for converting text into an Integer, Date, BigDecimal, and so on.
• second, validate the Integer is, say, in the range 0..150. This sort of validation can only be performed by an application, not by a framework.

This two-step validation style is used in the WEB4J framework. In WEB4J, business validations are performed by a Model Object constructor.

Controls in an HTML form can perform simple validations. For example, a control for entering a number may be assigned a minimum and maximum accepted value. In order to be secure and robust, an app should repeat such validations on the server-side.