StoredProcedures

Recently, I start to use MS-SQL StoredProcedures instead of hard-coding SQL query in the program. Using StoredProcedure is a good way of separating database queries and ASP.NET code. However, there is slight difference. For example, I want to execute a query like the following:

using (SqlConnection conn = new SqlConnection(connStr))
{
SqlCommand cmd = new SqlCommand("select * from Employee where eid in (15,16,17)", conn);
conn.Open();
SqlDataReader rs = cmd.ExecuteReader();
GridViewResChanged.DataSource = rs;
GridViewResChanged.DataBind();
}

It works perfectly. But if I want to send '(15,16,17)' as a varchar parameter to the StoreProcedure, then it failed:

using (SqlConnection conn = new SqlConnection(connStr))
{
var eids = '(15,16,17)';
SqlCommand cmd = new SqlCommand("queryEmployee", conn);
cmd.CommandType = CommandType.StoredProcedure;
cmd.Parameters.Add("@eids", SqlDbType.VarChar).Value = eids;
conn.Open();
cmd.ExecuteNonQuery();
}

It is said to be insecure if web users maliciously insert a random string into the database server:
How to pass a list of values or array to SQL Store Procedures

If I insisted using StoreProcedures, I need to learn how to loop the string and get those comma-separated input out in T-SQL.
It is sometimes pain in the ass when the code works perfectly before but failed in a new way of implementation.