Improper Input Validation
It is essential to validate all input from an outside source. Most of the time this will be input you get from a web form, but this also includes URL variables, data from a database, flat-file system, FTP connection, et cetera, as there is no way to be sure that what you are expecting is what you are getting.
When checking for a specific type of input, you want to be as specific as possible and deny all of the ones that don't match your specification. So, for instance, if you want to make sure that a user inputs an integer, you check to see if the value is an integer, and if not, you prompt them -- however you choose -- to re-input the value in (or in the case that no user inputted directly, you create an error message). PHP example:
// prompt user to input again