Software security lessons from someone who has spent a number of years cleaning a toilet used primarily by a small child:

1) end users cannot be trusted to provide input in the way you expect, they will continue to surprise you
2) end user input will make it way to places you thought impossible
3) end user input utimately will need to be sanitised multiple times