Comment by dylz

I don't believe this is acceptable. By any modern sane best practice, the word NULL in a string from a web form (where your input is basically by definition a string) is a string like any other

Blocking -- in a string does not prevent SQL injection attacks. Using proper parameterised queries does. This might sound mildly hostile but "you are not confident that you are escaping everything correctly" - when this is a well defined and solved problem - means you should not be building this application as you're too incompetent to. For the millions of taxpayer money wasted on this kind of thing, it is absurd.

Blacklisting keywords used in XSS is also completely futile, pointless, useless, and does nothing but piss off users that can no longer use anything containing the word log or window or whatever.