When dealing with input from users assume they all hate you and have read your code.
If you operate from the assumption that your PHP code is known and that users are actively trying to break your site you will be forced to write secure code.
Most of your users are probably very nice people. As long as your code does what you told them it does, then they are going to be happy.
However, some of your users are idiots and will try and do wild and crazy things that you never intended your site to do. When it goes wrong, and it will, they will blame you and say your code has a bug. Idiot users never recognise what they did wrong. Learn to live with this fact.
A select few of your users are evil maniacs that just want to break stuff.
So how do you take input from users without risking them breaking everything? I answer this with lots of code examples and a rough guide to not trusting your users but being nice to them anyway.
Read it here: http://lordmatt.co.uk/item/2667/