It is illegal to do this against any other site in Belgium without approval of the victim and under control of the victim. Even as a white hacker because that doesn't exist - even if you are coming on tv :). The victim or his lawyers can come after you at any time and you won't know what hit you (or your parents like the hacker on VRT).
this is for the programmers and the owners.
But this is just the beginning and not the finish. You really need to limit the online access to forms (put it behind a proxy on a server seperate from your contentserver), you need to limit the data behind the database (destroy old data and don't let people 'download whole datastacks, so only download from the user no big uploads to the user), encrypt it sufficiently (not md5 even if it is salted), place a vulnerability checker (to update all the different things that you are running) and put a patchpolicy in place, install a WAF firewall or policy (make it yourself easy, only accept normal commands and block all the rest) and activate an alarmprocedure to get a warning when an sql injection has some success and is downloading datastacks or too many attacks are happening (even if they don't succeed). Have a takedown procedure in hand so you can take down the site or only the datasets if this doesn't help. (attacks mostly happen with metasploit)
and let this test yearly by a penetration tester but with a clearly defined goal : get the information out of that datase whatever the way (while he is doing these tests someone from security and the network should sit next to him so that he has a contact if something can go wrong or to take immediate action if this is needed (finding a hardencoded password for example)
LESS data is MORE security (and less costs and responsabilities and fines) so if people want to add more data or combine data you should ask youirself if it is WORTH all that
and the best way is to write in every contract that the code has to repond to OWASP 10 or OWASP 20 and that the programmers have to show the results of their tests certifying that they don't have those mistakes in their code (enfin your code)
Automated SQL Injection Detection – Arne (many good links)
and so on