incrediBILL - 12:22 am on Nov 1, 2012 (gmt 0)
Having see the result of and SQL attack on one of my sites, i'm in no doubt it's one of the easier hacks.
It's also one of the easiest to prevent.
Simple programming techniques of prepared statements and bound variables avoid most of the problem.
Here's a must read for PHP programmers:
Doing site wide input filtering is trivial, it doesn't have to be done page by page, and can detect a myriad of issues including attempted MYSQL injection. The fact that people still publish software without properly filtering input should be criminal IMO as the poor programming procedures are just as guilty as the hackers. It's like building houses without locks on the doors and wondering why everyone is robbing them.