I have a friend who usually comes to me for website advice, though didn't on his last project and chose to engage the services of a young teenager to build his latest site in bespoke PHP/MySQL. However, he has since heard about PHP cross-scripting and database injection attacks and is worried that his site may be potentially hackable, due to the young age of the developer possibly not having the experience of knowing all the pitfalls.
Unfortunately, I can't advise because I use tried and tested CMS code like WordPress etc to build sites which has been written by experienced developers and has a good track record 'in the wild'. I looked at some online services to test for cross-scripting and MySQL injection attacks, but it's $800 to buy software he'll probably only ever use once. He's reluctant to go back to the young developer and and ask "is your code 100% known secure?" for fear of offending him so does anyone know of any affordable methods of testing?