If you have source code for the website, then verifying its security is much
more efficient. A lot of websites are based on open source CMS systems.
Otherwise, testing the security involves making an educated guess about which
parameters in the GET or POST request might be vulnerable.
Typically, a prerequisite for effectively auditing the site is to have a user
login. More complete coverage of code paths is possible with an admin login
for the website.
To secure the site, all input parameters should be validated before any are used
to construct SQL statements. This involves matching on allowed strings and
generating an error if there is no match.
There are various tools that are useful for this task, including:
manual request replay,
fuzzing,
HTML and Javascript code tidying,
Perl and command-line web client automation
I am familiar with some of the techniques that might be used for SQL injection.
There are tutorials on how to test for this possibility. It also depends on
what SQL server they are using, whether certain query syntax is supported.
An SQL injection vuln that has visible results in the HTML is much easier to
detect than a blind SQL injection, although the latter is still possible.
Thank you for your consideration. I look forward to your reply.