First of all, this is not new. My logs have shown attempted attacks like this for over a month.
Second, the attack vector is not simply requesting parameters and passing them to the database; the code is sent as part of the querystring, which the server parses causing the code to be executed which appends the script call into most text fields in your database, in every record.
Default validations do NOT catch all the attempts, certainly most, but the odd one does get through validation - at this point, it doesnt matter how you coded your queries, as long as you have tables with text fields you are just as screwed - the code simply hits every table. Again, you do NOT have to pass this code to the database in your script to be vulnerable
There are modules to beef up the validation, and they work well to prevent this, but you dont have to be an idiot to be hit - and I resent that statement.
And yes, I operate a couple dozen sites across a number of servers and can see this activity clearly in my logs and have one or two successful attacks on fully patched servers to draw my information from.
To iterate is human, to recurse, divine. -- Robert Heller