Input sanitization can only ever be a defence-in-depth measure. It cannot protect 100% against injection attacks (though you should sanitize anyway.)
The correct approach is to escape your outputs when mixing text into markup/SQL/whatever.
A cross-site scripting (XSS) vulnerability on Salesforce's website might have been abused to pimp phishing attacks or hijack user accounts. Fortunately the bug has been resolved, apparently before it caused any harm. Cloud app and security firm Elastica said the issue affected a Salesforce sub-domain – admin.salesforce.com …
That'd be a bit more clever if 1) this issue was in any way related to SQL injection, and 2) everyone on the entire planet wasn't already familiar with xkcd #327. There are tribes in remote regions of Papua who have never seen a computer, but nonetheless have seen crude1 hand-drawn versions of the tale of Little Bobby Tables.
But, really, the former item is the key one. XSS is not SQL injection, and no one is served by confusing the two.
1As opposed to Randall's exquisitely minimalist renditions, of course.