You're correct, Users should never be able to access the base tables directly at all, and all calls to the database must be parameterised.  Basically, although I believe that the presentation layer should do its own checking as well, the safest course for the database designer and developer  is to assume that the user has console access to SQL Server. In a badly-written application things are almost like that. If the users get any freedom to execute SQL Statements, there is a danger that they can escalate their permissions if everything isn't nailed do. As far as database defense against SQL Injection goes, I reckon that the article I wrote  Schema-Based Access Control for SQL Server Databases is relevant. Even with schema-based security, though, there are still risks of SQL Injection, especially if SQL Server is badly configured.(See  Windows privilege escalation script PowerUp by Will Schroeder).