LLBLGen Pro generates SQL on the fly and doesn't use stored procedures to do its database operations. Aren't these queries vulnerable for SQL injection attacks?
All SQL generated by LLBLGen Pro is parameterized. This means that no values are embedded into the SQL query being generated. Due to the parameters, a value can never influence the query being executed, as the value will never be part of the query itself, but just a value of a parameter. The generated code is therefore not vulnerable for SQL injection attacks.