Addressing Code Injection Risk
If you have a query that you want to execute often, you might want to make a stored procedure out of it. Stored procedures help to avoid SQL injection.
SQL injection is a code injection technique that exploits a security vulnerability occurring in the database layer of an application.
Creating a procedure also means that the SQL script is logically separated from other parts of the application. This often helps in the maintenance of a project. To create a stored procedure, please do the following:
- Type “Create procedure” then provide the name of the procedure. (Note: if you are altering an existing table, please use the Alter keyword instead of create.)
- Add the parameters that you are going to use (Note: These are in parentheses.)
- These are the variables that are to be used within the query.
- When you call the query, you must supply these variables.
- Add the keyword “as” after you close the parentheses for the parameters.
- Insert the SQL query.
- Run this query using F5 or the Execute Button.