Hi, Mike.

>Why do people use stored procedures? Based on the huge fights I've seen, I wouldn't say most people, either. With .Net you can send parameters. Personally, I want to give the users more control over the queries. Injection attacks can't happen with adhoc parameterized sql, can they?
>
>Bear in mind, I'm a .net newbie, but I believe I understand the concept. If I use a stored procedure to assemble an sql command I open myself to injection too.

Definitively, not. SQL injection attacks need:
1. the UI being careless about user input
2. dynamic SQL been built by concatenating strings

Stored procedures are not just a way of avoiding SQL attacks, and they don't cover you about anything, but they are generally used for a number of reasons like:

Faster execution due to precompilation. This is increasingly less important as engines get more efficient with dynamic SQL, but there is still there.

Schema isolation: when you access your DB trough SPs, you don't need to know its physical schema. You are using an interface instead, so this is conceptually Information Hiding.

Additional security: the typical DBA doesn't like you doing what you want with her DB (even if you have readonly access to selected tables). SPs ensure you have restricted access to what they wanted you to do.

I agree that dynamic SQL allows you more flexibility, but usually based on the assupmtion that you OWN the DB. And this is something that tend to become false over time. Even if you created and designed the DB for exclusive use of your app, given it becomes successful enough, someone else will start needing access it, and sonn you'll find that it's not your girl anymore. :-)

Hope this makes clear the issues around.

Best regards,