Originally posted by James Ellis:
Expanding on that..if the request came to you via a GET or POST, it should already be encoded.
Not necessarily.
If the data was from a form submission, then yes, the data is automatically encoded.
However, if a link with parameters was built in code (either client or server side), then the data needs to be properly encoded.
That also applies to Ajax requests.