If we want to see the back of sql injection harpooning the developers is probably the wrong way to go about it. Yes they should be using parametized queries and yes you could fire them for concatenating values into their sql strings but the chances are the next developer you hire is going to do the same damn thing... even if you specifically ask it as an interview question. There will always be bad developers and some of them are going to sneak in under the radar.

What I'd like to see is this prevented at the development language level. I'd like to see is an abstraction that sits above the level of ADO etc. and builds my sql for me in a guaranteed safe fashion. It should pull in the schema and allow me to select the various sql operations etc. Basically something similar to the query builder that comes in management studio or access. Of course, those query builders are truly horrible which is why nobody uses them so this abstraction would have to be GOOD. I'm not sure what it would look like, whether it would be graphical or textual but it would have to be easy to use, powerful and flexible. It would also need to keep up with new additions to the various flavours of sql. It would be no mean feat to create such a tool but until it exists I will continue to write my own sql strings and, as long as I do that, I am more than capable of idiocy.