On the phpblog@developerWorks blog today, there's this entry from Zeev Suraski concerning the validation of user input. I think he sums it up well...

One of the concepts that are most difficult for new Web developers to fully grasp, is just how dangerous it is to trust user input. Just in the last week, there've been around a dozen or so different reports of vulnerabilities found in Web applications - mostly all of them revolve around unchecked user input.

Because of PHP's dominance in the Web application development world, many of the vulnerable applications were ones written in PHP, which hurt PHP's security track record, even though it's not the language which is at fault (the same applications, written in any other language, would have suffered from the same vulnerabilities).

He makes note that, while validating user input is a necessary evil, it's not the easiest thing to do right now. The cleansing of all user input falls squarely on the shoulders of the developer, and even lesser known issues (like the spoofing of $_SERVER values) has to be taken into consideration...

Paraphrasing agent Mulder's immortal words, 'Trust Nothing'.