Specify what is permitted, not what is discouraged.

And to do that, you'll need to know what the domain of the data is, and what would be safe or dangerous there. This code above is unsafe from that perspective, because you've simply ruled out some common things that are dangerous in some contexts, but not others.

So in general, I'd stamp this code as "good intention, bad implementation", mostly because it starts to give the illusion of security, when in fact it does no such thing.

-- Randal L. Schwartz, Perl hacker