Preventing SQL injection is not rocket science!
I can't believe that a professional security site has allowed itself to be exploited by this kind of attack. It's a simple matter to validate all input that will be used as part of an SQL query. Here's a couple of very basic, quick and dirty (PHP) examples:
1) Wherever possible, limit parameters passed from the client to numeric index and key references. This then allows you to use the simple regex:
$param = preg_replace("/\D/g", "", $_POST['param']);
to remove all non-numeric characters from the parameter before it gets anywhere near your database.
2) When you do need to parse textual parameters, you can either use:
$param = mysql_real_escape_string($_POST['param']); // or run this through the SQL interpreter directly for other languages
or you can manually replace all dangerous non-alphanumeric characters with their HTML entity equivalents:
$sqlinj = array("\'", "\"", "(", ")", "=", "\\", "<", ">"); $sqlrep = array("'", """, "(", ")", "=", "", "<", ">");
$param = str_replace($sqlinj, $sqlrep, $_POST['param']);
While these are not the be-all and end-all, they will stop most attempts at SQL injection in their tracks. Any two-bit programmer worth his diploma can figure this out. There's no excuse for BitDefender to not have implemented at least this basic level of protection!