Re: Languages don't 'sanitise input'...
There isn't a language out there which will prevent you doing something as silly as connecting to a DB and passing it a string straight from user input.
There *sort of* is.
Most SQL databases allow "prepared statements", in which the SQL command - sans data - is set up, and the data then supplied to it. This means that the parsing of command vs. data occurs long before the data turns up. Thus, once the data is applied, the DB will not confuse the two; SQL injection is obviated, even if the programmer "forgets" to sanitise the data.
Note, however, that the term "prepared statements" can be misused: I found a Python SQL library that promised prepared statements, but actually just used string formatting to create a simple statement. The result was that the library appeared to offer the protection I've outlined above, but actually didn't.