Does stored procedure help eliminates SQL injection / What are the benefits of stored procedured over normal SQL statement in apps?

Question

I\'m pretty new to SQL world. Here are my questions:

• What are the benefits of stored procedured over normal SQL statement in applications?
• Does stored pro

Answer 1

For the most part yes, SQL injection is far less likely with a stored procedure. Though there are times when you want to pass a stored procedure some data that requires you to use dynamic SQL inside the stored procedure and then you're right back where you started. In this sense I don't see any advantage to them over using parameterized queries in programming languages that support them.

Personally I hate stored procedures. Having code in two disjointed places is a pain in the ass and it makes deploys that much more complicated. I don't advocate littering your code with SQL statements either however as this leads to it's own set of headaches.

I recommend a DAL layer implemented one of two ways.

1. My favorite, use an object relational management system (ORM). I've been working with nHibernate and I absolutely love it. The learning curve in steep but definitely worth the payoff in my opinion.
2. Some kind of mechanism for keeping all your SQL code in one place. Either some sort of query library you select from or a really structured set of classes that design the SQL for you. I don't recommend this way since it's basically like building your own ORM and odds are you don't have the time to do it correctly.

Forget stored procedures. Use an ORM.