如果不发布您的存储过程代码，则无法进行真正回答您的问题，但您可能可以自己回答。

Without posting your stored-procedure code, there's no way to truly answer your question, but you can probably answer it yourself.

SQL注入攻击源于用户输入的数据摆动它们进入动态生成和执行的SQL查询的方式。使用存储过程通常通过将参数作为参数传递来避免此问题，从而不会动态生成SQL。过程是自动封装的，不会成为原始SQL查询文本的一部分。

SQL injection attacks stem from user-entered data wiggling their way into dynamically-generated and executed SQL queries. Using a stored procedure generally avoids this problem by passing the arguments as parameters, thus not dynamically generating SQL. Procedures are automatically encapsulated and do not become part of your original SQL query text.

以以下示例为例：

SELECT *
FROM myTable
WHERE myId = @ID;

作为参数，您可以安全地设置 @ID 改为 21; DROP TABLE myTable;。它将为您转义，并将整个字符串与myId进行比较。但是，如果您动态生成SQL查询，例如

As a parameter, you're safe to set @ID to "21; DROP TABLE myTable;". It will get escaped for you and the entire string will be compared to myId. However, if you dynamically generate your SQL query like

string query = "SELECT *\nFROM myTable\nWHERE myId = " + userEnteredText + ";";

现在您将获得以下内容：

Now you'd get the following:

SELECT *
FROM myTable
WHERE myId = 21; DROP TABLE myTable;;

哎呀。

因此，要回答您的问题：如果存储过程没有根据其参数和 EXEC 的参数动态生成SQL，则应该是安全的。

So, to answer your question: IF your stored procedure doesn't dynamically generate SQL based on its parameters and EXEC them, you should be safe.

注意：当然，这依赖于.NET数据提供程序来调用带有参数的过程而不生成动态SQL语句。大多数方法都能正确执行此操作，但是如果您使用的是第三方提供商，则应在确保安全之前再次进行检查。

Note: This, of course, relies on your .NET data provider to be calling the procedure with parameters and not generating dynamic SQL statements. Most do this correctly, but if you're using a 3rd party provider, you should double-check this before assuming you're safe.