If you are using PHP to handle form input data - and let's face it, you probably will do some day if you are not already - make sure you do not make any assumptions about the reliability of the data. Remember, it came from users, and we do not trust users, now, do we?
If you are inserting form data into your database, make sure you pass it through mysqli_real_escape_string() first..
While client-side validation is a nice addition, you must not rely upon it to produce validated data as it can easily be disabled.
Users already have a hard enough time before they get in contact with your forms, so do not make them more complicated than they need to be. Split forms across pages if possible, keep selections to a minimum, lay options out neatly using HTML tables, and mark required fields clearly.
Copyright ©2015 Paul Hudson. Follow me: @twostraws.