Davy interview question

How can you defend web application attacks like sql injection , XSS etc ? Also what if client side validation is turned off?