Using a HTML form with a drop down doesn't take away the user input; it's still not trusted.

 Any value may be entered by the user capable of saving your source somewhere and editing it; or facing the whole thing with LWP, etc.

 A minor point I know, but this came up at work fairly recently. All text fields were validated at submission time, but drop downs were for some bizarre reason taken as "trusted", and their values were injected directly into SQL. (Something else that's changed now).