While on the subject of sanitizing input, I've noticed that most developers stop at defending against cross-site scripting and SQL injection. While some ill-formed inputs are unintentional, many are clearly intentional attacks designed to explore and penetrate.

IMHO, origins of suspected attacks should be marked and degree of certainy used to slow down responses or return responses designed to confuse the attackers. Just one hour IP-specific probation of slow or no service will change the attack economics enough to make your site less attractive to attackers.

Going further, information should be shared in real time and accumulated over time to force the responsibility of defense as close to the attackers as possible. If each attack incident reported stains the source IP, ISPs will take more steps to prevent their entire IP range from being painted hostile, perhaps by subscribing to incident reports involving their IP range and mapping them to accounts. Anonymous proxies and Wi-Fi hotspots will also be forced to do the same if they want to avoid being effectively shutdown.