cannt allow any characters that allow sql injection