Is SQL Injection possible when parameter's type isn't set?

Question

Does passing SQL Parameters to a stored procedure alone ensure that SQL injection won't happen or the type checks also need to be performed?

As an example -
ADO.NET Code:

    Database DBObject = DataAccess.DAL.GetDataBase();
    DbCommand command = DBObject.GetStoredProcCommand("usp_UpdateDatabase");
    List<DbParameter> parameters = new List<DbParameter>();
    parameters.Add(new SqlParameter("@DbName", txtName.Text));
    parameters.Add(new SqlParameter("@DbDesc", txtDesc.Text));
    command.Parameters.AddRange(parameters.ToArray());
    rowsAffected = DBObject.ExecuteNonQuery(command);

SP:

ALTER PROCEDURE [dbo].[usp_GetSearchResults] 
 -- Add the parameters for the stored procedure here
  @DbName NVARCHAR(50)  = ''
 ,@DbDesc NVARCHAR(50)  = ''

AS
BEGIN
  SET NOCOUNT ON; 
  SELECT     [RegionName]
            ,[AppName]
  FROM  [ApplicationComponent]
  WHERE [DBName]  LIKE ('%' + @DbName+ '%')
  OR    [DBDesc]  LIKE ('%' + @DbDesc+ '%')
END

In the above code, I havent mentioned any parameter types or validation logic. Would it still preevnt SQL injection?

Thanks for the guidance!

Answer 1

No, that should be fine. The value in the LIKE clause is still built up as a string value, rather than being interpreted as part of the SQL statement. It's still being treated as data rather than code, and that's the crucial part of avoiding SQL injection attacks.