I saw some similar question, none about mysql...
Is there any way to do a sql injection into a SP?
How do I protect from this on the SP level?
In other words, can the Query strucutre, inside a SP can be modified in any way by an incoming parameter?
If I send to a stored procedure the parameter "1;DELETE FROM users;--"
and the query is:
select *
from T
where = @p
SQL injection is, basically, adding extra code to the query. The attack itself occurs because the server parses the input data as SQL code and executes it accordingly. You cannot protect from it on the SP level, because when the execution gets to the procedure, the attack has already succeeded.
So as long as you construct your queries as text, SQL injection is possible regardless of what the text of the query is. And if you don't, or if you properly sanitize your input, then again, SQL injection shouldn't be a problem, whether it's SELECT or something else.
来源:https://stackoverflow.com/questions/8973847/is-it-possible-to-do-sql-injection-with-stored-procedures