As a side note, the usual packet-filtering firewalls won't protect you from SQL injection attacks. They simply lack the application intelligence to know what is going on beyond opening port 80 for web traffic. This is the case for many application-level attacks, such as SQL injection. Network intrusion detection will help, but it will not serve as magic "silver bullet" in this case. There are too many different forms and strings of such attacks to be encoded as an effective signature set. Additionally, if a target site is running SSL, you can evade the IDS by simply moving all the attack activities to TCP port 443 from port 80, which will likely hide all malfeasance.
We will categorize defenses into three main types, as described in Table 16-6.
Table 16-6. SQL injection defenses
Complicating the attacks by not providing the attacker with any feedback needed (or rather desired) for locating the SQL injection flaws
Generic error messages, limiting database output
"Blind" SQL injection
Using stored procedures instead of dynamically built queries
Trying to avoid building queries from SQL commands and user input by replacing them with database stored procedures (conceptually similar to subroutines)
Recent advanced SQL injection techniques can inject parameters into stored procedures
Trying to only allow legitimate requests to the database ...