incrediBILL - 12:59 am on Dec 13, 2011 (gmt 0)

That is what I was referring to when I said "extensive and expensive". Because you have to build this infrastructure in, so if it isn't already present it is an extensive application mod

Not really, same global protection.

When I said validation within the application I mean the usual stuff, like verifying dates, phone #s, email addresses, stuff that usually is already in place to validate fields server side. For expected formatted fields the lack of the desired format is usually enough to protect that field.

It's the free-for-all un-formatted input fields that are the problems, and those can easily be addressed with global protection as described previously.

There was some company selling a reasonably inexpensive site protection product that did just this, had packs of scripts to protect certain sites, and allowed you to add new rules to their scripts

However, not I can't find the link anywhere.

If I do, I'll post it.