I know SQL Injection is one... what are the others...
how about verifying user input? For example, you're expecting a 10 digit phone number, but you get "800OHNOES!"