Trust Nobody
Posted by Cody in 
One important lesson when developing applications (I’m focusing on websites here, but this applies to all types of applications) is to ditch user trust.
In a nut shell, do not trust any input you receive from a user. Seriously, do not assume it is clean and good, treat all user input (whether it be cookies, text from a text box or something else) as potentially dangerous. Check it, filter it, escape it.
Never let input from a user go straight into your database or on to a page without it being filtered. If you let it straight into the database you leave yourself open to SQL Injections and other attacks.
This is why you should clean up all input. (Click for bigger version)
Keep that in mind when you are developing an application, any and all user input needs to be checked out, torn to pieces, ripped apart, put back together before being considered safe.
