Always, always, always sanitise user input. You have no idea how that input was generated.

Think of a website as being an API that just happens to have a page you created attached to it. It is trivial to change the input generation method and fire back something totally unexpected to your POST or GET methods.