are entirely blaming ASP and saying "everyone should switch to ASP.Net", though even they must realise that exactly the same thing can happen with any web technology.

It's fairly easy to check. If there's a semicolon somewhere in the query string, even encoded with a % sign, stop the request and send out a big "you are a hacker go away" message.

Problem is that most of the sites that are getting attacked were written before these SQL injection attacks were around - so naturally those sites aren't protected against it. Most people are clued up now, and the fact that ASP.Net appears more secure is simply that the coding practice is now well known and new sites are built with SQL injection in mind - nothing to do with ASP.Net being "better" or "more secure". Surely even Paris Hilton could see that?