A few months back I was running through a web server's log files looking for evidence of SQL injection attempts. Sure enough, I found it and installed some countermeasures to block some of the originating IP Addresses (or blocks of them). Sometimes I am even known to like to block entire countries that are known for activity that targets web servers. (That might sound extreme, but let me explain: If the bulk of your business is in an area that doesn't rely on international business, then it's not really a crazy idea.)

As I was discussing what I was working on with a co-worker that person said, "You're pretty crazy. I doubt we're a high priority on a hacker's list. But, it's your job to be paranoid, I guess." And therein lies the problem. People assume that since they aren't a big corporation or a bank that they could never be a target for SQL injection. But, it doesn't work that way at all. 

Web servers are targets of sports for hackers 365 days a year, 24/7 — and it doesn't mater whether you have one web server or a hundred; all a hacker is trying to find is an exploit. That exploit can be a page on a major bank website, or Grandma's Afghan e-Store; it's completely indiscriminate.  SQL injection attempts are usually scripted attacks that play the law of averages; in other words the hacker may try ever IP address in a range, and if he can't get in, the script moves on to the next block.

So, just know that if you are running Microsoft SQL Server, you're on the list (until Microsoft actually admits that the database is the problem and stops blaming web developers' code). SQL Injections can happen in seconds and infiltrate an entire database. The next thing you know, your customers are clamoring that their machines were infected.

So, call me crazy. Call me paranoid. It's something you need to be at least a little hopped up about if you have a dynamic website.