Processing untrusted data without first validating the contents can lead to a variety of security issues including: cross-site scripting, SQL injection, XML injection, and link injection. Your first instinct may be to implement blacklisting to look for characters known to be used in writing queries and script, such as brackets and quotes. However, blacklisting typically fails for one very important reason:
Attackers are creative.
How to fix the problem: Don’t exclusively use blacklisting as your injection prevention. If you need to prevent special characters from coming through, use whitelisting wherever possible. Unfortunately, even whitelisting isn’t a sure fix. Defense in depth, such as the use of output encoding to prevent cross-site scripting and parameterized queries to prevent SQL injection attacks provide robust protection