freejung - 9:14 pm on Dec 7, 2011 (gmt 0)
In support for incrediBILL's argument -- I use PHP on a LAMP stack so I don't have direct experience of this, but I talked to a friend who is an extremely competent .NET developer. He said that following "the best practice of using parameterized SQL when interacting with the database" should prevent this sort of attack. The tone and general context of the discussion implied strongly that any .NET developer who does not follow this practice doesn't really know what they're doing.
For my part I use a framework (MODX xPDO) that escapes everything before interacting with the database, and just for good measure I validate all my input first anyway. I haven't heard of anyone using MODX having problems with SQL or script injections.