But, stored procedures do not, by themselves, necessarily protect against SQL injection. The usefulness of a stored procedure as a protective measure has everything to do with how the stored procedure is written.
As done by you,
insert into tbl_add_student(Id,Name,Roll) values(@Id,@Name,@Roll)
If someone assign value
Quote:
100); Drop TABLE tbl_add_student;
then it will be executed as
insert into tbl_add_student(Id,Name,Roll) values(@Id,@Name,100);
Drop TABLE tbl_add_student;
Resulting in dropping of Add_Student table.
You can check out these two links further...
(I)
Do Stored Procedures Protect Against SQL Injection? - Brian Swan - Site Home - MSDN Blogs[
^]
(II)
How to prevent SQL Injection in Stored Procedures[
^]