Demaestro - 1:15 am on Dec 7, 2011 (gmt 0)

Chico,

My post wasn't meant to oppose your view, I understand where you are coming from I was just trying to impress upon people making decisions for their business what it means to hire someone and then make the statement

"Not everyone will have the money to hire a real coder to make their code secure."

I am saying, find the money. Just like you wouldn't hire a contractor who can't re-enforce windows to build you anything, you shouldn't hire someone who can't secure their code to build you anything. You just shouldn't do it, and it shouldn't cost more, it just means you hire a professional, not some kid who took an HTML course one time and then read a book about server side coding.

Octavious, you can't protect against an SQL injection attack by adding a captcha, nor can you protect against SQL injections by blocking IPs. You literally have to sanitize anything that can use POST or GET on the server.

If you are using a well known CMS.... Start by doing a search online of the CMS with the version number and the words sql injection, if there are known vulnerabilities for that CMS you should find something that will tell you what files to patch and how.... For all your custom code do a GREP of all the files on your site and look for things referencing any POST or GET variables. Find all the places it grabs data this way and check to see if it is sanitized.