First, before I mention anything else, I want to assure you that SQL Injection attacks are not possible with Sitefinity. Every database query executed is constructed by our Object-Relational mapper and we don't insert user-inputted data into the queries. We are using stored procedures for every API method, so I am not sure how you can change the query. It's important to tell you that if you have any custom functionality, you should be prepared to filter your data before you construct the queries, but this is not the case when you use the ORM. Now to answer your questions:
1. Does Sitefinity use stored procedures to perform authentication?
Yes. We extract the user's details with stored procedures.
2. Does Sitefinity check for hazardous user input like script tags etc.?
This is an Asp.Net feature - Event Validation, and it is enabled by default for all pages, user controls and modules.
3. Does the CMS part of the system use both client and server side validation to ensure correct input is provided?
Could you please open a new support tickets with the details on this case? We are very interested in it, and what to find out the reasons for your concerns.
the Telerik team