How would the hacker pass that variable to the stored procedure ? If it's part of a form on a website, then hackers can enter character strings. But if the procedure is deeper in the application ??