I think the basics should be common
The amount of times I have seen direct SQL commands with vars in the command (rather than as SQL variables) is ridiculous (I'm looking at you wordpress). One of the key factors to security is developing at the minimum level of competence which means not allowing sql injection attacks through use of sql vars.