just had to explain to a dev that no, sanitizing user input with a regex is not sufficient and yes, we do need to use a proper validation library to prevent sql injection... this is security 101, folks