Same thing applies in PHP as well, I charged another client $2,000 to write one line of code.

I used to sell used cars in my prior life, so that helps heh.

Regardless, I have no idea…I’m sure there are plenty of not so honest web devs who will try to take advantage of folks. What I find very odd is that you did the right thing by getting multiple quotes, but they were all high. Very strange indeed. Maybe they’re all in cahoots together, running up an asp.net racket .

If you’d like to continue this conversation offline, I’d be happy to tell you what I think an honest quote would be for the work you were looking to get done (I’m not looking for work, however I’d like to help out if it means saving you some money).

Is it customary for web developers to pad their quotes like this?

string QS = Request.QueryString["QS"] ?? “some Default String”;

As for the 2nd part, there is no reason why they should need to modify the web.config. If they are using codebehind then yes a recompile is necessary (though it should take seconds to compile and deploy). The bigger question is why are you passing sensitive info w/o salting in addition to the base64 encoding otherwise doing a dictionary attack is very easy. Regardless, if you needed to do that in asp.net (psuedocode):

if (IsNew)
byte[] dataBytes = new byte[yourString.Length];
databytes = System.Text.Encoding.UTF8.GetBytes(yourString);
string encodedString = Convert.ToBase64String(encData_byte);

Hardly what I’d call rocket science. You’re getting fed BS.