We do as Moron++ prescribes but it's easier said than done. You need discipline to only grant execute access to SQL or Windows logons for the s-procs (direct base-table or view access is not allowed) and write your s-proc code accordingly. Your security model can easily get botched by folks that don't understand the details and grant db_datareader/db_datawriter in a troubleshooting panic and don't understand the long term repercussions of such an action.
in reply to Re: Preventing malicious T-SQL injection attacks
in thread Preventing malicious T-SQL injection attacks