also, when i say don't trust user input. do input validation on the back-end. Even Post data can be manipulated using a proxy tool like Burp suite.
You can validate using javascript on the front end, just to save user time. But make sure security validation is done on the back-end.