As a dev I'm always stunned when I come across a system that's vulnerable to sql injection given that it's such an easy gap to close. Just don't build up sql strings by concatenating in parameter values. Use proper ado parameters. Unless you're using dynamic sql that's all you need to do, whether you're calling sprocs or using sql direct. Of course, that's a .net centric view of the world but all other major languages support an equivalent.