Nice, as I said before, user can set any input. ANY. (Like nobody knows in internet you're dog. NOBODY. )
It's important to check, validate and clean any input. That's my little cheat sheet:
Any number expected values convert to int:
$id = (int)$id;
Any string values addslahes and htmlspecialchars before putting into database:
$string = addslashes(htmlspecialchars($string));
Because of the routing, I also check REQUEST_METHOD for GET or POST.
Also other types of validation as length, characters (alpha, numeric, alphanumeric, etc.) and others.
I wonder, which types of checks and validations you also do?