the idea is to NOT send raw SQL commands to the server - Instead call stored procedures and send parametersThe usual source of injection is a web entry form, in which case the user cannot see the SQL at all. But they can experiment with likely entries in text boxes that may allow injection.
As you note, the key is to use parameterized SQL. I've seen more than one SP system that was wide open to injection because of SQL concatenation inside the SP- in fact I believe that hundreds of servers in Asia were hacked recently because they used concatenated SQL in SPs.
Ironically enough, VFP's Remote View has been 100% immune to injection since 1995. ;-)
"... They ne'er cared for us
yet: suffer us to famish, and their store-houses
crammed with grain; make edicts for usury, to
support usurers; repeal daily any wholesome act
established against the rich, and provide more
piercing statutes daily, to chain up and restrain
the poor. If the wars eat us not up, they will; and
there's all the love they bear us."
-- Shakespeare: Coriolanus, Act 1, scene 1
