[evilDagmar]

I've always found it more useful to just discard user input that doesn't come in the format you're asking for, and bail on the entire operation.

Like, if the user might be attempting something fishy, there's no reason to try and "clean it up" and have your program "do it's best" with the remainder. Throw an error back at the user and move on to the next query.

[jiggawatts]

User: "My surname is O'Neill"

Server: HTTP/403, begone with you, foul SQL-injecting hacker!

[8n4vidtmkvmk]

that sounds awful. you probably reject phone numbers that use spaces instead of dashes or something? if its correctable, just correct it and don't hassle the user. if its ambiguous, then fine, ask the user to clarify.

[OkayPhysicist]

This is the way. Parse, don't sanitize, and fail early. If 99% of traffic follows the pretty path, and most of the rest is actively hostile.