Sanitize your input.

You certainly don't want something like this to happen.

and don't forget input that is managed by java (direct POST modification bypasses java restrictions), and input that calls web pages by IDs for SQL queries instead of actual URLs.