If you're prohibiting valid letters to protect your database because you didn't parametrize your queries, you're solving the problem from the wrong end
This is all well and good until the company looses real money becaus some other system you are interfacing with got compromised because of your attitude and fingers start being pointed. Defense in depth is a thing.