SPI Dynamics recently had an on-demand webcast where they scanned around 1000 sites using the Google API for SQL injection. The scanning application returned approximately 700 sites that actually responded to their queries. They only did simple SQL injection tests using a very basic SQL string. Also, they only looked at sites that actually returned verbose SQL responses. Even with this very small and restricted subset, they found that 11% of sites returned verbose SQL errors. The presenter goes on to say that he thought that this estimate was representative of the population but is likely a lot higher than that.
Based on the presentation, it sounds like there are lots of vulnerable web apps out there. It is kind of interesting to me that even in this day and age, SQL injection is still so common. Thankfully, the presentation also provides the best approach to prevent SQL injection vulnerabilities; validation based on whitelists, and sound queries through parameterization.
Check it out when you have 15 minutes or so.