SQL injection is an attack in which malicious code is inserted into strings that are later passed to an instance of SQL Server for parsing and execution. Any procedure that constructs SQL statements should be reviewed for injection vulnerabilities because SQL Server will execute all syntactically valid queries that it receives. Even parameterized data can be manipulated by a skilled and determined attacker.

Here are a few methods which can be used to protect again SQL Injection attack:

• Use Type-Safe SQL Parameters
• Use Parameterized Input with Stored Procedures
• Use the Parameters Collection with Dynamic SQL
• Use the escape character in the LIKE clause
• Wrapping Parameters with QUOTENAME() and REPLACE()
• Validate ALL input elements. For unstructured data like XML documents, validate all data against a schema as it is entered.
• Never concatenate user input that is not validated. String concatenation is the primary point of entry for script injection.
• Always run the SPs under Least privileges to DB. Deny direct access to DB objects.