I've parameterized my queries in my Classic ASP app, but am unsure whether I need to sanitize or scrub free text fields or if the parameterization is sufficient to prevent injection.
Not all sql stored procs are injection safe
http://palisade.plynt.com/issues/2006Jun/injection-stored-procedures/
If you use parametrized queries, you're safe against SQL injection attacks.
But not for XSS attacks; some user could to insert HTML content (think about <script>, <object> tags) into your database and, at some page, another user get that potentially malicious code executed.
来源:https://stackoverflow.com/questions/2113262/sql-injection-on-classic-asp-pages-with-parameterized-queries-text-fields