Also, please don't tell people to write user input sanitation functions to fix SQL injections. Tell people to use a proper interface to their database that doesn't mix commands with data.
That is good advice as far as it goes, but even with parameterized queries, there are "parameters" to queries that can't be "parameterized", and so sanitization of some sort is usually required. A hobby horse of mine is reminding people that it's dangerous do rely exclusively on parameterized queries.
The reason is that if you are building a very dynamic web application in which the user's input or existing database values are used, for example, to determine a column name, table name, or even a database name, very strong whitelisting is required.
For the other cases, paramaterization can take care of it.
