I admit that SQL injection seems to be exploited more than I expect. However, 7-30% doesn't hold for actual vulnerability percentages: just because that there are more attacks doesn't mean that it's actually successfully exploited more.
There are a lot if automated scanners (mostly openvas,sqlmal and the like) that are continually scanning internet targets. Attack does not equate breach of security.
Fair enough. You are right to distinguish between attempted attacks and successful exploitation. To be honest I cannot be bothered to properly read those articles I posted and see if they were talking about attempts or successful attacks. :-)
Though having worked as a penetration tester I can say that, while rare, it was certainly not unheard of for a client's web application to be vulnerable to SQL injection. And this is for clients who are willing to spend several $1000s on a penetration test for their website - imagine what its like for people who don't give a second thought to the security of their site.
