[user15672]

> Finally, ANY type of input sanitization is wrong way to do security, and should be employed only as an absolute last resort.

Ok, that's just plain wrong and absolutely wreckless advice. Everything from software development 101 classes to OWASP data validation can call you on that. If you don't understand why you're wrong, please, please, please stop developing software now until you can understand it.

[bpicolo]

He's correct in the sense of trying to catch SQL injection via input validation - that's a losing game. He isn't saying "don't validate your data at all", that's a different issue. Ultimately, your OWASP issues (XSS, SQL Injection) related to input are going to be prevented by appropriate escaping and data handling across your entire stack by default (key word is default, "trust the devs" is not the right answer). Input validation isn't the ticket.

This is a prime example of the Robustness Principle. https://en.wikipedia.org/wiki/Robustness_principle

[atemerev]

Would you be so kind to explain me the attack vector if the user input is never possibly treated as part of the code?

What I came up with is this: user name is stored in the database, and some new junior developer in a large team reads it in the backend code, and immediately plugs into another SQL query using string concatenation. BOOM!

But on the other hand, the very same junior developer can forget to sanitize the inputs before storing them (or do it incorrectly), so there.