SQL injection on Classic ASP pages with parameterized queries: text fields

I've parameterized my开发者_Go百科 queries in my Classic ASP app, but am unsure whether I need to sanitize or scrub free text fields or if the parameterization is sufficient to prevent injection.

If you use parametrized queries, you're safe against SQL injection attacks.

But not for XSS attacks; some user could to insert HTML content (think about <script>, <object> tags) into your database and, at some page, another user get that potentially malicious code executed.

Not all sql stored procs are injection safe

http://palisade.plynt.com/issues/2006Jun/injection-stored-procedures/