It isn't true to say that SQL injection in stored procedures has no effect in SQL Server, however—if an attacker can inject SQL into a stored procedure, he can directly modify the system catalog—but only if he already had permissions that would enable him to do so. The additional risk posed by this is slight, since the attacker would already have to be an administrator in order to take advantage of any SQL injection flaw in this way—and if he is a database administrator, there are many other, far more serious things he can do to the system.

این پاراگراف برگرفته از کتاب The Database Ha*cke*r's است

تا حدودی می تونن

اما این رو بدون

No System Is Safe

شاید یه خورده دیر دارم جواب میدم اما آره میتونن
به شرطی که مستقیم از دستور exec استفاده نکنی و اگر میخوای select بگیری یا insert کنی به شکل زیر عمل کنی

select * from tbl1 where id=@myid