Patrick,

You wrote "we have to ensure that the SQL command passed to the procedure is actually a SELECT statement". I hope that you realize that the statement could be something like this:

SELECT 1 DELETE _t_spsys_select_log WHERE log_id=(SELECT MAX(log_id) FROM _t_spsys_select_log)

This means that we must trust the developer of the client application to give us a correct SELECT statement. This means that we trust that he only uses hard-coded strings or if he uses anything entered by the user, he validates them very well. If anyone wants to read further on this topic, see:

http://www.nextgenss.com/papers/advanced_sql_injection.pdf

Razvan