xRather than using a stored procedure with dynamic SQL...
Use ADO.NET instead of dynamic SQL in a stored procedure. You can use bind variables like this:
OracleCommand command;
...
command.CommandType = CommandType.Text;
command.CommandText = "UPDATE emp SET sal = sal*2 WHERE empno = :x";
command.Parameters.Add("x", someValue);
...
command.ExecuteNonQuery();
...
Or, use a stored procedure but don't use dnynamic SQL like this:
create or replace procedure dsal(p_empno in number) as
begin
UPDATE emp SET sal = sal*2 WHERE empno = p_empno;
end;