a) not putting any kind of direct DB access in your website, using a middle tier layer (webservice?) to act as the DB access
b) not letting the middle tier server access the DB directly, instead having to go through stored procedures
c) basically not letting anyone run "select * from users" at all.
Security can be done, but as long as we have websites that think "webserver" means all the back-end processing has to be running in the web server whether its IIS or Apache, and frameworks that assume all development must be done in 1 web-server hosted language.... then we will continue to see security breaches like this.
You want to secure your site, split the web handling/presentation from the data processing, and the processing from the data extraction. Then slap as much security on the interfaces between these layers. Do not trust the webserver one bit. Assume the webserver is already hacked. Hell, do not trust the middle tier either - allow it only the limited data it needs for each part of the processing.
I've done the above, its not nearly as difficult as the webdevs will say.