Two cents on that . . . in cases of user input, it's not so much your users (which is important on it's own) but that those who would abuse your site do so from command line apps without even touching the form. They completely circumnavigate the form with a post directly to your script. In such cases they can inject data you wouldn't expect.