[eterm]

I would consider "user input" to be everything coming back from the client, that includes everything down to cookies, HTTP-Headers, form values.

Validate everything. Re-check authorisation always.

My favourite too was being new into a development job and buying our biggest package for a penny. What I hadn't counted on was that this was a fairly new system and the CEO was still copied in to every buy order.

Thankfully the company took it in good spirit, I was even sent an expenses form to reclaim the penny! :)