SQL injection on Classic ASP pages with parameterized queries: text fields

Question

I\'ve parameterized my queries in my Classic ASP app, but am unsure whether I need to sanitize or scrub free text fields or if the parameterization is sufficient to prevent

Answer 1

Not all sql stored procs are injection safe

http://palisade.plynt.com/issues/2006Jun/injection-stored-procedures/

Answer 2

If you use parametrized queries, you're safe against SQL injection attacks.

But not for XSS attacks; some user could to insert HTML content (think about <script>, <object> tags) into your database and, at some page, another user get that potentially malicious code executed.