In the example the person is building a call to an SP in dynamic SQL whether it is in TSQL or VB it is still putting strings together thus the problem. If you are using ADO and a command object with parameters then SQL is passed to the SQL engine slightly differently each parameter value is identified to the engine directly. i.e. @parameter1 = myvalue. You also benefit from typing, i.e. you can't put a string in an integer parameter.

if you look at the command text of the command object you will see

{? call mysp ?, ?, ?}

each ? represents a parameter (the first being the return value)

There is no way using this that you can inject code. (given the sp doesn't use dyanmic sql)