maybe I should do security education by saying "imagine the user is Hitler. Literally. Visualize Adolf Hitler sitting in an office chair and he's filling out a form on your website. Are you sure you're validating inputs thoroughly enough?"