I think this also illustrates why DBA's need to included in development and why code must be vetted by someone competent to do so.

If you are going to use the command object then you can go one better and wrap it all up in a DLL.

In addition to the SQL Injection attack protection you are running compiled code.

I have seen cases where tweaking IIS caused ASP to start spewing out either hacker friendly error messages or in one case ASP source code complete with connection strings.