- Stored procedures are user written programs that are stored in database servers and can be invoked by client applications
- Stored procedures can execute SQL statements at the server, as well as application logic level, for a specific function
- The SQL CALL statement is part of the SQL ISO/ANSI standard for invoking stored procedures from database management systems
- Client applications can invoke a stored procedure by using a single SQL CALL statement
- Client programs can pass and receive parameters from stored procedure
Vulnerable and Secure Code for Stored Procedures
Example: Implementing Stored Procedure
- java.sql.CallableStatement API is used to execute SQL Stored Procedures. CallableStatement is not vulnerable to SQL injection unless the called stored procedure code is vulnerable.
- The SLECT statement restricts the size of parameters and length of input variables
Cheng® 