There is only one type of injection, that is, using a value for something other than a value. There is (basically) only one way to protect against this, and that is to always use bind variables for passed values.
There are some variants that might be considered another "type" of injection, but they all boil down to the same thing anyway. Just don't use dynamic SQL.
In Sybase and Powerbuilder I recall their where four main types of dynamix cursors; Dynamix SQL - I'm guessing that this still applies to SQL Server since Mirco$wipe "based" their product on Sybase AS.
I recall some horrific outsourced code I had the misfortune of modifying, a lot of nasty code that defined a type 4 SQLDA dynamic cursor. Using SQLDA you are allowed to define a cursor in which the input parameters and types and the the result set and types are not defined until the querry runs. Just because you can, does not mean you should however.