I strongly agree with the validating bit. It does not depend on your schema.

It is important to realise that when a form is posted to a server, there is no schema information sent with it. For instance, what you think may be a radio button or check box (and thus an expected string value) can be anything when it is posted from somewhere else.

A contrived example (which I unfortunately have seen happening in the real world):

<FORM METHOD=post ACTION=/doit.pl>
<INPUT NAME=action TYPE=checkbox VALUE="INSERT INTO table VALUES (1,2,
+3)">
<INPUT TYPE=submit>
</FORM>
[download]

may coerce you into thinking that the value on the server of the field "action" is either the INSERT statement or nothing.

However, anybody in the world with access to Perl and LWP.pm, might easily set up a request to "/doit.pl":

use LWP::UserAgent;
my $ua = LWP::UserAgent->new;
my $req = HTTP::Request->new(POST => 'http://your.server.com/doit.pl')
+;
$req->content(q{action=DELETE%20FROM%20table});
$ua->request($req); #kaboom, your table is gone
[download]

So, even if you thought you could trust the value of a checkbox, you can't. You always need to check values coming in from the form. Always.

Liz