Stored Procedures with Caution

Stored procedures can prevent SQL injection when implemented correctly, but they're not inherently secure. Safe stored procedure implementation:

-- Secure stored procedure
CREATE PROCEDURE GetUserByEmail
    @Email NVARCHAR(255)
AS
BEGIN
    SELECT UserID, Username, Email 
    FROM Users 
    WHERE Email = @Email
END

-- Called safely from application
EXEC GetUserByEmail @Email = '[email protected]'

However, dynamic SQL within stored procedures reintroduces vulnerabilities:

-- DANGEROUS: Dynamic SQL in stored procedure
CREATE PROCEDURE SearchUsers
    @SearchTerm NVARCHAR(255)
AS
BEGIN
    DECLARE @sql NVARCHAR(MAX)
    SET @sql = 'SELECT * FROM Users WHERE Username LIKE ''%' + @SearchTerm + '%'''
    EXEC(@sql)  -- Vulnerable to injection!
END