UMG Developer (6/21/2010)
But I don't see how either using the certificates or the proxy login protects you from SQL injection attacks when using dynamic SQL, as the SP can still do anything that the certificate user/proxy login has permissions to do.
Yes that's true but I did add at the bottom of the article that "Signing stored procedures is a step to making your application SQL injection proof, you would also need to make sure that any stored procedures that use dynamic SQL do not allow injection, this can be achieved using parameterised dynamic SQL". So the steps to make sure your application not SQL injectable is both to not granting users any access rights to tables and also making sure that any stored procedures that use dynamic SQL use parameters.