You're trusting that input is from your form, and that your form has gone unedited. Clientside .*script is helpful, but is no substitute for good practice.

After Compline,
Zaxo