The utilities generally protect your web programs from html/javascript injection automatically.
Pretend you have a web forum where posts and post titles with slashes and dots in them are perfectly fine.. For these situations, you can bypass security by using the GetCgiVar_S function and do your own filtering, or you can use GetCgiVar_SafeHTML. The _S suffix means "specify security setting" while the _SafeHTML suffix means that the html is filtered and safely outputted using html entities.
To completely bypass security while getting a CGI (url variable, post variable, get variable), pass 0 (zero) to the GetCgiVar_S function - it will give you the data unfiltered and raw. Careful though.. setting security to zero is what all PHP/Perl/Typical programmers do when they use for PHP variables, especially when register_globals is on in their INI files. When no security is implemented, a lot of websites are hacked into using simple URL variable injections.
Security was built in to versions 1.5 and 1.6 so that web developers spend less time worrying about these issues - however, you will have to bypass security more often than you think.. since some web programs allow some special characters in at time. Other web programs wish to add custom filters on the GetCgiVar requests and wish to allow slashes in.. for example slashes are find when having people input in a blog or forum.
We (the developers) think better safe than sorry is a good programming practice though and that automatic filtering stops hundreds of web programs from being unsafe. Programmers are lazy, and cannot possibly remember to filter every incoming variable all the time - even experienced and seasoned developers.
While automatic security can frustrate a few developers who first start using these utilities without reading the docs, there is no excuse - because one can always escape automatic security by calling the _S suffixed functions. One just has to know the difference between the _S function, the regular funcion, and the _SafeHTML functions by reading the docs.
Side note: One of the developers of these utilities has broken into several PHP/Perl websites (white hat, harmless hacking) to prove that even professional corporate websites programmed by professional programmers are not secure, and even professional, experienced developers forget to implement security on all incoming variables. If security was implemented by default like in Powtils, and one could turn it off only when needed, these sites would not have been hacked into.
You can also use SQLEscape() functions (which are included in your database API or with Powtils sqlutils).