Client-side input validation is inherently unsafe, because requests can easily be forged. The lack of server-side checks and query formatting allows for SQL injection attacks.
The quote character (
") ends a string. Unexpected quote marks in SQL statements results in exploits.
See Let’s Talk! README.md#Vulnerabilities for examples.