prevent sql injection

Is there a way to prevent sql injection by using stored procedures?

I have a sql query as

select column name from table where field ='@value'
cmd.parameters.add('@value', value);

I am using parameterized queries with least privileges. How can i write a basic stored procedure to prevent an sql injection.开发者_运维问答 Is that possible?

---

 select column name from table where field =@value

 cmd.parameters.add('@value', value);

SQL Parameters avoid the sql injection problem.

You just need to change the = condition with parameter. check above query.

---

Using parameterized queries alone should already prevent sql injection attacks as far as I am aware.

---

If you're using parameterised queries, you should not need the quotes around @value (@value instead of '@value'), provided the @value parameter is defined as a string.

Creating a stored procedure works in the same kind of way. @value would be defined as a VARCHAR or something, and so only accept strings. Then you reference @value rather than '@value' in the stored procedure.

CREATE PROCEDURE my_proc (IN @value VARCHAR(32))
BEGIN
  SELECT column name FROM table WHERE field = @value
END

---

C#

   cmd.parameters.Add("?value", value);

is deprecated

to update for @Yogesh Bhadauirya stated,

   cmd.Parameters.AddWithValue("?value", value);