At http://content.usatoday.com/communities/technologylive/post/2011/06/new-mass-meshing-attack-poisoning-small-business-web-sites/1there is a very disturbing article on SQL Injection Attacks and how they have been automated.
This is very disturbing as it many that any public facing web site may be attacked. Anonymity is no protection (and never was). The bottom line no person or company may say that they are too insignificant to be attacked.
So have you run FXCOP on your Dot net code? CA2100 catches SQL Command text that is built up by concatenation. the rule description reads: "This rule assumes that the string argument contains user input. A SQL command string that is built from user input is vulnerable to SQL injection attacks. In a SQL injection attack, a malicious user supplies input that alters the design of a query in an attempt to damage or gain unauthorized access to the underlying database. Typical techniques include injection of a single quotation mark or apostrophe, which is the SQL literal string delimiter; two dashes, which signifies a SQL comment; and a semicolon, which indicates that a new command follows."
You will still need to check all your stored procedures for EXEC and EXECUTE as the improper use of EXCUTE within a stored procedure can also give rise to a SQL injection vulnerability.