Prepared Statements and Stored Procs Used Together

I'm in the planning stages of a Microsoft ASP.NET / SQL Server 2008 based web application and In thinking about database design, I began to think about injection attacks and what strategies I should employ to mitigate the database as a vector for injection attacks.

I've heard from various sources that using stored procedu开发者_JAVA百科res increases safety, I have also read that these are equally as infective if they are still used with dynamic SQL as this presents an injection point

Question

Is it possible to use a Parametrized Query inside a stored procedure? My thinking is that if I pass the arguments to the stored procedure into the prepared statement the database engine will sanitize those arguments for me.

Yes you can pass Parametrized query inside a store procedure. but it think it will not use execution plan in the procedure and work slow as per my knowledge.