alternative to exec sql to avoid sql injection is SP_EXECUTESQL?

i have to connect to an existing stored proce开发者_开发百科dure which saves a line of text in the database. now i've seen the sp and it is a concatenated string (in which my text is placed) and the it is executed with exec(@sql).

Because the text is coming from a public website, i have to make sure no sql injection is possible.

The database guy had not heard of sql injection, so he doesn't know what to do, but as i don't want to expose the risk from my aplication, i would like to know what can be done to prevent the sql injection. I am however more programmer than sql guy.

Now i've found the 'SP_EXECUTESQL(@SQL)' stored procedure, will that help prevent sql injection, or is it still possible to make malicious calls?

thanks in advance for helping me.

---

Look at the MSDN documentation for SP_EXECUTESQL(@SQL) here: http://msdn.microsoft.com/en-us/library/ms188001.aspx.

It warns that

Run time-compiled Transact-SQL statements can expose applications to malicious attacks, such as SQL injection.

Also have a look here: http://msdn.microsoft.com/en-us/library/ms175170.aspx

I would strongly advise against trusting ANY input from ANY user!

Can you change the query to be parameterised in some way?