Wow, this is an old thread but still very pertinent.

We are rapidly migrating to SQL 2005.

But we were attacked by injection ... every vharchar field in every table replaced with similar .js crap. We restored and the world was good.

But we're trying to find the vulnerability ... of the publically visible pages on the site, (only 5 or 6) all are derived with stored procs and / or our own in house brewed trap.

We are told that SQL2005 and SQL2008 handle SQL injections far better.

We are also about to, within a month, implement a proper SQL Server 2005 mirror. But of course mirrors will merely mirror the injection; right?

I'm babbling ... but beyond stored procs and home grown filters, are there any other known hardware sotweare remedies.

You refer to a profiler to see commands ... where is that?