enigma1 - 2:27 pm on Dec 7, 2011 (gmt 0)
I wonder why they show an update as of the 8/12/2011. Isn't the 7th, or they have their date format messed up and they're just projecting, the article seems to be published on the 1st.
I am sure sql injections don't necessarily imply the attackers want to bring sites down, rather to gain control in some way.
Several common sense techniques will stop those encoded injections dead in their tracks.
This kind of techniques may also render the site unusable. Moreover sql injections don't take place only via /GET.
When you see this kind of attack to be successful you start realizing how "solid" the code of various scripts is, they just accept whatever input comes in. No filtering nothing. Best to find what scripts are vulnerable and make sure they perform sql queries with a proper filter in place by type and by value relevant to the query in place.
So if products_id is an integer you don't filter it with a regexp just because it clears punctuation.