in reply to DBI and stored procedures
Yes, well it depends on how your stored procedures handle invalid data and errors, doesn't it?
For example, if your stored procedure gets a string that is too long, does it fail gracefully, or does it crash? Does your program handle failures from the stored procedure call properly, or does it stop working completely?
The fact that you are less likely to get SQL Injection doesn't mean that you shouldn't ensure that external input is reasonably sane before it goes too far in your program