Is this stored procedure safe from SQL injection?

Question

Stored procedure is as follows:

CREATE PROCEDURE Foo
    @bar varchar(100)
AS

SELECT * FROM tablename
WHERE columnname LIKE '%' + @bar + '%'

I've tried passing various strings to this stored procedure, but to me it looks like this would be safe from a SQL injection since everything between and including the wildcards would result in a single string.

Answer 1

If you are using C# and your code looks like this:

SqlCommand command = new SqlCommand("Foo", connection);
command.CommandType = CommandType.StoredProcedure;
command.Parameters.AddWithValue("@bar", myTextBox.Text);

then yes!

If it looks like this:

SqlCommand command = new SqlCommand("EXEC Foo '" + myTextBox.Text + "'", connection);

then no!