The key here is to never ever ever EVER trust user input. When you are programming CGI of any type you must look at every piece of input and say "what's the worst possible thing that a user could enter into this field, and how would I deal with it?"

In short, Program defensively.

Mark