He's using stored procedures to exec a block of sql he puts together. If you do it that way it's no different to slapping a query together directly in your code.

If you do it this way you avoid the string concatenation that enables sql injection + you don't need any table permissions just execute permission on the proc:

    ALTER PROCEDURE dbo.SearchWidgets 
      @SearchTerm VARCHAR(50)
    AS
    BEGIN
        DECLARE @filter VARCHAR(52)
        SELECT @filter = '%' + @SearchTerm + '%'
        SELECT Id, Name FROM dbo.Widget WHERE Name LIKE @filter
    END

Use parameterized queries: http://www.codinghorror.com/blog/2005/04/give-me-parameteriz...

This is link bait. Where is the stored procedure and ORM again? Of course you will be vulnerable if you do the query concatenation yourself!