Well, I'm not to sure if PHP is client or server side. If the processing was server side then even for a simple cho box, validate input. If its client side, like javascript, then no worries.
here I'll walk you through a garbled form attack.

Let's go to google.com(technically this example won't work but you'll get what i mean). Go to file-->save page as. Then save the page. Then open up the page via a text editor and find the part where it says: <input maxlength="2048"... and change the 2048 to 10000000. Then save the page and open it up via IE/FF. Then put in as many letters as you can. Thats all someone has to do to manipulate a page. Anything processed server side MUST be validated before being used. Validation means checking the type of the input, the size of the data, etc, before using it.

*This example will not actually connect to google's servers so its safe to do. And even if you could submit that many letters to them, they'd simply throw an erro. Trust me, i;ve tried