Examples of SQL injection even when using SQLParameter in .NET?

Question

I heard that SQL Injection can still be possible when using ADO.NET SQLParameter (paramterised query) for SQL Server.

I am looking for real examples in C#/VB code

Answer 1

If you're creating a statement in a stored proc and using sp_executesql, a parameterized query is a false safety net.