Never trust the user! Validate all input coming from a user. This includes any part of an HTTP request that you're processing: the header names and values, the cookie names and values, the querysting parameters, web form values, and any other data included in the message body. Always use whilelist input validation to test input; that is, test whether an input does match an expected good format and reject it if it doesn't. Avoid blacklist input validation; that is, testing whether an input matches an expected bad format and rejecting it if it does. Never perform validation just on client side - an attacker can easily bypass these controls. Always validate on the server side. Use regular expressions for more complicated validation logic like testing e-mail addresses. Unless you're a regex expert, also consider using regex from one of the public databases such as regexlib.com or a commercial regex ...
SQL Injection , XSS , CRSF , Security misconfiguration and CSSLP