Stored procedures generally provide an extra layer of defense.
If you use SQL text generated by your code, then you make it easy for an injection attack. For example, if you have code like:
mySQL = "SELECT * FROM Products WHERE ProductID = " & textbox.text"
and then execute the string, an attacker who fills in the textbox with the string "ProductID; DELETE Products;" will wreak havoc. Using a stored procedure presumably would assign the textbox value to a parameter. The stored procedure code would then be:
SELECT * FROM Products WHERE ProductID = @parameter
and the same text will simply result in an error rather than sending you scrambling for a backup.
While this is a measure of defense, the best is scrupulous editing of the input data. If special characters don't belong in your database, then they don't belong in the input to it. Remove them by filtering such junk out.
"good (enough)" is a relative term...
Custom Apps, Inc.