The recent wave of SQL injection attacks has made mainstream news, just in case you have not seen it:
Hundreds of Thousands of Microsoft Web Servers Hacked
Jeremiah Grossman and others have made the point, accurately, that this is not a Microsoft IIS Web server issue, but rather that Web developers not adhering to security best practices are to blame (for shame, it is not like we have enough to do already!):
Security expert: Don't blame Microsoft for mass site defacements
To solve this puzzle, look no further than controlling parameters, permissions and sanitizing your inputs with a Web application firewall or WAF like ServerDefender AI or the upcoming ServerDefender VP. Yes, you can learn to write more secure code, but why wait to get protected or deal with recoding legacy bits? Get a WAF, and get PCI complaint, something we all need to be focusing on now.
Cheers,
Port80
PS BTW thanks to Jeremiah for being one of the early believers in ServerMask... it is nice to watch as his security star rises!