Per the desciption of the Kata, you do not have to add your points to the array "you may add your point to the given array." This solution does not perform this step.

I don't see a way to downvote this kata, but this is poor security practices.

Just like many schools still teach Hello World! followed immediately by taking the user input and directly spitting it back out, this is the second-lowest level of protection. Levels: Nothing, Blacklisting, Whitelisting, Parameterizing.

Queries should be parameterized. We should not be blacklisting, or even whitelisting inputs. Parameterizing queries is the only way, as there are myriad ways around blacklisting in this manner to still attack the database and return data the user should not have access to.