And no SQL keywords allowed in passwords. Because they like to advertise that they don't bother escaping user input before concatenating sql strings to store plain text passwords in the database.
The PHP manual pages are full of user comments with helpful suggestions just like that, which incompetent programmers copy and paste into production systems. But I think of it as a good thing, an instance of evolution in action, because banks that hire such stupid programmers deserve to have all their money stolen from them.
http://stackoverflow.com/questions/13738141/blacklist-filter...