Not only are SQL Injection attacks still going on but also cross site scripting, response splitting and other nasties.
Let us suppose that your code is SQL Injection attack proof. Some enters Dave';WAITFOR('00:00:15'); into a form field and that is precisely what gets entered into the DB. The WAITFOR doesn't get treated as a SQL Statement but now you have a data quality problem.
OK, coding to look for strange syntax is quite a job but I've seen fields that, in theory, are populated from web form drop down boxes that have had this rubbish in them!!!
Then you have HTTP Response Splitting where some bright spark has worked out that injecting carriage returns and line feeds into the HTTP response fools the web server into to accepting more than it should from any single request.
At one time is was easy to spot illegitimate mechanical activity on a web stie by the HTTP_USER_AGENT. Now even the most basic mechanical attack will know to spoof a valid HTTP_USER_AGENT and probably rotate IP addresses to avoid rate alerts (too much traffic coming from one customer for it to be genuine).
From the malicious attack perspective the game has moved on.
SQL Injection attacks are the middle aged man with the high BMI in the Sunday pub football league compared to what else is out there in the European super league.
If SQL Injection attacks are still suceeding on your web site then you're way behind the curve.
LinkedIn ProfileNewbie on www.simple-talk.com