Take a look at this too.

http://blogs.technet.com/windowsserver/archive/2008/08/21/URLSCAN-3.0-RTW_3A00_-DOWNLOAD-TODAY.aspx

>Wow, this will take me a while to go through. Thanks for doing this research for me.
>
>>>Hi everybody,
>>>
>>>I'm thinking, that instead of trying to intercept every request we may try to use UPDATE/INSERT triggers for every table and reject entries contaning < script > Does it sound like a better approach?
>>>
>>>What do you think?
>>>
>>>Thanks in advance.
>>
>>I think it would make sense to research it fully. Here's a few to get you started:
>>
>>http://www1.cs.columbia.edu/~angelos/Papers/sqlrand.pdf
>>http://www.securiteam.com/securityreviews/5DP0N1P76E.html
>>http://www.codeproject.com/KB/database/SqlInjectionAttacks.aspx
>>http://msdn.microsoft.com/en-us/library/bb355989.aspx
>>http://blogs.technet.com/swi/archive/2008/05/29/sql-injection-attack.aspx
>>http://www.colinmackay.net/tabid/57/Default.aspx
>>http://msdn.microsoft.com/en-us/library/aa224806.aspx
>>
>>There are some appliances and tools like WatchFire AppScan, Applicure's DotDefender, or eEye's REM Security Management Appliance. Most are cost prohibitive though.
>>
>>One thing you can do though is download the trialware of some checking tools so you use it as a test to check for vulnerabilities....
>>
>>http://www.security-hacks.com/2007/05/18/top-15-free-sql-injection-scanners