Both the guide and the strip are inaccurate. Parameterized SQL statements are also vulnerable to injection: you can't parameterize identifiers, only values. So any dynamic column references, dynamic sort orders, or dynamic limit statements remain injectable.
To see why this matters, consider every data table view ever implemented in any web app: table columns are selectable with checkboxes, you can click the columns to change sort order, and the data is paginated.
You should obviously be using parameterized queries. They are clearly more secure than concatenated SQL queries. But they aren't a magic totem against injection, and we have much better resources for developers than XKCD. Start with (yes really) Microsoft:
Do people really use variables based on raw userdata to select table/columns? Seems like an incredibly rare case, and bad design. I've never seen/used it.
Parameterized queries are a magic totem against injection, unless you mix them with concatenation of unclean userdata. Which would be silly.
Of course they do. Sort columns send "ASC" and "DESC", pagination limits and offsets are sent in offset= parameters, etc. How else do you think people do it, other than the most obvious way?
Don't make the problem even worse than it is by trying to downplay it just because you know what you're doing.
For offsets and limits convert/parse it to a number first and ensure it's within sane bounds.
You're right though. Parameterization isn't a magic bullet that allows you to forget about all other unclean data if you're using other unclean data in an SQL query.
My advice is, pass page= as your pagination and pass 1/0 in for ASC or DESC. If you have selectable columns, number them in the parameters, don't name them.
Point being, when you compose the query, you should never be inserting text from parameters; you should be converting parameters into known-good values.
To see why this matters, consider every data table view ever implemented in any web app: table columns are selectable with checkboxes, you can click the columns to change sort order, and the data is paginated.
You should obviously be using parameterized queries. They are clearly more secure than concatenated SQL queries. But they aren't a magic totem against injection, and we have much better resources for developers than XKCD. Start with (yes really) Microsoft:
http://msdn.microsoft.com/en-us/library/ms161953.aspx