There’s an axiom in the appsec community - “all input is evil”. Every piece of data sent by the user may be teeming with virulent host compromising attacks, and that you better validate ANY and ALL user-modifiable parameters or your computer will explode...
Reading articles, browsing marketing materials, and listening to presentations about application security, you hear variations on a theme: "Input validation is absolutely critical to application security, and most application risks involve tainted input...