The mistake which a lot of developers make is thinking parametized stored procedures mitigate sql injection 100% of the time. However, injection is still possible with parameters when dynamic SQL is used in the stored procedure:
ie.
create proc VulnerableDynamicSQL(@userName nvarchar(25))
as
declare @sql nvarchar(255)
set @sql = 'select * from users where UserName = '''
+ @userName + ''''
exec sp_executesql @sql
See
http://dotnetjunkies.com/WebLog/chri.../13/28370.aspx
Be warned
Richard Bisset
www.NetworkFreelance.co.uk - PR and Marketing Contracts
www.ProvidentHomeBuyers.co.uk - Quick House Purchases
www.CommercialLeaseBack.co.uk - Property Buyers