@Camilla
A fair point. For such attacks to succeed, it requires inadequate input validation at two points: the web interface (allowing XSS and SQL injection attacks) and the underlying DB software (allowing buffer overflow attacks). So, you have two choices to prevent them;
a) wait for Microsoft, Oracle, MySQL etc to produce a database server guaranteed free of buffer overflow vulnerabilities (might be a long wait, and you'd still be vulnerable to XSS); or
b) proper validation of web input strings.
The latter looks more attractive to me given that:
1. It isn't too technically demanding (the most popular web servers provide tools to help, although they aren't 100% effective).
2. It doesn't require a huge effort (given reasonably documented and structured code, admittedly not a very likely contingency :).
3. It protects against XSS as well as SQL injection.