I just heard something on the latest DotNetRocks episode, featuring Joe Stagner that has made me very nervous.  At around 1h 30m into the show, the talk turns to security.  Carl asks if it's possible to inject SQL when using a SqlParamater.  It's a common belief that it's not possible, but Joe Stagner says that it is possible and he, in fact, knows how to do it!  I for one am not comfortable with security by obscurity, and don't like knowing that there's a possible security loophole that I'm not accounting for. So, how can someone do this?  Most importantly, how does one protect against it?

-Brendan