Never trust user input. Validate at every boundary:
Whitelist over blacklist: Define what's allowed, reject everything else. Blacklists always miss something.
Validate type, length, format, range:
email: string, max 254 chars, RFC 5322 format
age: integer, 0-150 range
username: alphanumeric, 3-20 chars
Validate at multiple layers:
- Client-side (UX only, not security)
- API gateway (schema validation)
- Application code (business rules)
- Database (constraints)
Defense in depth. If one layer fails, others catch it.