Just read this article, I am stronge following to SPs. Of of the points highlighted in this were a bit of suprise to me.
Using SPs make it more likely that you will pass parameters the
right way, but there is no guarantee.
I thought it is possible to do it in SPs when I saw an SP like:
CREATE PROCEDURE sp_ExecSQL
@SQLStatement varchar(8000)
AS
EXEC @SQLStatement
GO
@SQLStatement varchar(8000)
AS
EXEC @SQLStatement
GO
I talked to the developer about this, they did this so they wouldn’t have to create SPs for all the adhoc code they have, and they were kind of trying to follow the rule only code gets exectued by means of stored procedures.
But according to Douglas, it is pobbile to do it other ways. I would like to find other ways to do SQL Injection, not to execute it but to understand SQL Injection in further depth.
Ref Link: http://www.developerfusion.co.uk/show/4708/1/
SQL Canada (SQLCAN) 