[screwt]

    Sites are susceptible when user input is ... incorrectly filtered for characters used in database commands ...   

If you're trying to protect yourself from SQLi by filtering & then running user input, you're doing it wrong. If a supposedly tech-literate site like Ars can't get that right, what hope do we have? (Let alone the banks themselves...)

[skolor]

That's exactly what defines SQLi. Incorrect filtering of user data is precisely the reason why SQLi is a vulnerability.

[0x0]

The better way to defend against SQLi would be to use proper quoting/prepared statements, instead of trying to play whack-a-mole by filtering and limiting the content of the input strings.

[skolor]

Correct, but that doesn't make the statement of the causes for SQLi any different.

[duncans]

Incorrect handling I'd say. If you're filtering apostrophes from your user input you're doing it wrong.

[undoware]

This is a semantic quibble. Your point could be restated as, "if you're not filtering potentially dangerous data out of your SQL queries (i.e. you're not using a fixed vocabulary of properly-quoted phrases) then you are vulnerable to SQLi."

think of it this way: no matter how you slice it, there are Bad Things you need to keep out of your SQL, and an easy layperson term for doing so is 'filtering'.

Recall that 'filter' != regexp.