The first rule of application security is to never trust user input. The second rule is always test for sql injection. The third rule is to run the tests again in the stored procedure. The third rule is to never allow any query other then through a stored procedure. The fourth rule is prohibit the use of Entity Framework to directly access the database without using a stored procedure.

As much as I hate the first word that comes out of a DBA's mouth, "NO!!!", security of the data in a database is the single most important value an application developer can hold is security. The second most important is maintainability.

When I have been engaged as an architect on a project, I have always considered security to be the most important consideration and have angered many developers by refusing to move off the position that stored procedures are the only way to access the database.