So do something about it: http://blogs.technet.com/swi/archive/2008/06/24/new-tools-to-block-and-eradicate-sql-injection.aspx
We give you 3 different ways to combat SQL injection on our platform above including an update to one of my all time favorite tools - URLScan!Here's a blog post from a senior IIS dev-dude (Wade Hilmo) on the new URLScan and some of the new features: http://blogs.iis.net/wadeh/archive/2008/06/24/urlscan-v3-0-beta-release.aspx
You know I never understood why people don't just use Parameterized Queries in .net. For everything from Dynamic SQL to Stored Procs. You set the correct datatype and everything gets handled by the framework for you. .net is a beautiful thing when used correctly.