Although, I was a little disappointed with the comment about sanitizing database inputs. You don't even have to sanitize them if you use bind variables. You don't need to run the input through some function that escapes quotes and such - just bind the input correctly and DONE!
OK maybe that doesn't hold true for ALL databases (I don't know one way or the other). Definitely true with Oracle though.