I use stored procedures. Any chance I'm vulnerable to SQL Injection?
The short answer is "yes".
SQL Injection is the result of using dynamic SQL statements, those that are created at run time from user inputs. Stored procedures are pre-compiled pieces of code, so one wouldn't expect them to be vulnerable to SQL Injection.
To quote Chris Anley's classic "Advanced SQL Injection" paper (page 17):
Traditional wisdom holds that if an ASP application uses stored procedures in the database, that SQL injection is not possible. This is a half-truth, and it depends on the manner in which the stored procedure is called from the ASP script.
Essentially, if a parameterised query is run, and the user-supplied parameters are passed safely to the query, then SQL injection is typically impossible. However, if the attacker can exert any influence over the non - data parts of the query string that is run, it is likely that they will be able to control the database.
Good general rules are:
- If the ASP script creates a SQL query string that is submitted to the server, it is vulnerable to SQL injection, *even if* it uses stored procedures
- If the ASP script uses a procedure object that wraps the assignment of parameters to a stored procedure (such as the ADO command object, used with the Parameters collection) then it is generally safe, though this depends on the object's implementation.
Santosh explained this in detail in the article Are stored procedures safe against SQL injection?