That there's a distinction to be made between what should be and what is. TBH, I don't know how bad a problem SQL injection is these days.
Its not like any programming language automatically checks your input and makes sure it isn't malicious before sending it on the database.
Quite correct, because it can't--that would require the ability to read the programmers/administrators/... mind to determine what they think is malicious.
In a similar way, it's not like any compiler will (in full generality) test your code for the possibility of going BSOD: accepting that C and turing machines are equivalent, and that moving to the next sequence point (more or less executing a statement) is equivalent to a transition in a turing machine, here's a handy proof that ExecutesTransition and Halts are equivalent.
ExecutesTransition quite clearly also contains Halts, since we can just see if any of the halting transitions are executed (there are only a finite amount). OTOH, Halts also includes ExecutesTransition, since we can create an altered turing machine which is the original with the transition in question replaced by a halting transition, and all other halting transitions replaced by an infinite loop.
And we all know Halts to be unsolvable (if it was solvable, $R = RE$, but $SA \in RE \setminus R$).
So I don't see why the two are different.
The BSOD is what you get by allowing #1, trusting the programmer.
No, that is flat out wrong, and this is why: when I dual-booted between RH 6.2 and W98, RH 6.2 never crashed. W98 did.