I think you ought to be able to use placeholders for the parameters. Thus, you provide just as many question marks as there are parameters (BTW don't the parameters start at index 0?), and pass the actual parameter in the do call.

$Command = "EXEC $SPROC " . join ', ', ('?') x $elements_in_array;
[download]

This will produce something that looks like

EXEC FOO ?, ?, ?
[download]

(I have no idea if this is the proper syntax for calling stored procedures in T-SQL — perhaps it needs parens?)
which later you call through

$dbh->do($Command, undef,  @CHOICE[1 .. $elements_in_array])
[download]

(The undef comes in place of the \%attr in the docs.)

That ought to remove all possible problems related to dangerous values in ther parameters, as they're all treated as content of strings.

And yes, you should check if $PROC looks right, like a proper procedure name, for example with a regex.