SQL Injection - Stored Procedures

Security needs to be multiple levels deep. At one point in time several years ago there was a trend to have all websites code use stored procedures. I heard developers say it prevented SQL Injection.

If the database you use allows you to build SQL statements with a string dynamically at run time in a stored procedure then you can have SQL injection in a Stored Procedure.  

Each Database slightly different syntax and guidelines:

• Oracle  (See Page 12)
• PostgesSQL 
• SQL Server

In short: If your doing dynamic SQL inside your Stored Procedures you will have validate the input otherwise you can be impacted.