Does stored procedure help eliminates SQL injection / What are the benefits of stored procedured over normal SQL statement in apps?

Question

I'm pretty new to SQL world. Here are my questions:

• What are the benefits of stored procedured over normal SQL statement in applications?
• Does stored procedure help eliminates SQL injection?
• In Microsoft SQL Server it is called stored procedure. How about in Oracle, MySQL, DB2, etc.?

Thanks for your explanation.

Answer 1

Stored procedures only directly prevent SQL injection if you call them in a paramerized way. If you still have a string in your app with the procedure name and concatenate parameters from user input to that string in your code you'll have still have trouble.

However, when used exclusively, stored procedures let you add some additional protection by making it possible for you to disable permissions to everything but the EXEC command. Aside from this, parameterized queries/prepared statements are normally cached by the server, and so are just like a stored procedure in nearly every respect.

In spite of this, stored procedures have two big advantages for larger enterprises:

• They allow you to define an application interface for the database, so that the system can be shared between multiple applications without having to duplicate logic in those applications.
• They move the sql code to the db, where you can easily have an experienced DBA tune, update, and otherwise maintain it, rather than application developers who often don't know exactly what they're doing with database code.

Of course, these advantages aren't without cost:

• It's harder to track changes in source control
• The database code is far separated from the code that uses it
• Developer tools for managing many stored procedures are less than ideal (if you've ever open the stored procedures folder in management studio to find 200 procedures for a database, you know what I'm talking about here).