Seconded. Users are dirty, untrustworthy creatures who should all be rounded up and shot (but I guess they'd have a hard time using your app; then again, that'd fix any load problems . . . hrmm, tough call :).

Never trust anything provided by a user. If at all possible, don't even send information you're going to use to them to begin with. Send them a "token" (actually the word I'd use here normally would be "cookie", but considering the context that might be overloading the term a bit much; it might be very well keyed off of an HTTP cookie, or it could be something in the URL), then use your copy of the information keyed by that token instead (after verifying that they match up with that token via whatever authentication you're doing, of course). They see a display copy of the information, but you work from your version and validate / scrub / cleanse any changes you receive from the user before updating your version.