You're right, but a checkbox doesn't have to be how the information gets sent.
There's nothing indicating that the form which gets processed is coming from this server.
<html>
<body>
<form action="http://www.thisguysserver.com/hisprocessingpage.asp" method="post">
<his form field values, then... />
<input type="text" name="todelete" value="1;DROP TABLE table;
">
<input type="submit" value="go">
</form>
</body>
</html>
If I were to build that HTML on my desktop, open it in IE and then clicked the submit button, the form data gets submitted to his page. That means he's not just dealing with checkboxes anymore.
Some script kiddies were using a similar technique a while back with IBill's system to change payment values before submitting orders for various things, allowing them to get things at more than a modest discount.
You could do a check for the http referrer, but who honestly does that for every single page they work on? And really, that doesn't matter either - a five minute Python script can impersonate any browser from any IP. Wouldn't take much to screw with this guy's data.
Stored procs offer atomic application and user-level security, increase performance, and help to ensure that data only moves around the way you want it to.
PS sorry - I'm paranoid. But I hear it's a good thing at times.