It depends on how you implement your calls to the server, and how you build your stored procedures.
For example, if you build an SQL string in ASP.NET, and then execute it, that's the same as not using a proc in the first place.
On the other hand, if the comments are fed directly to a proc as a parameter value, then there really isn't a way to get them to execute as an injection attack. Building and executing strings is really where SQL injection comes into play.
- Gus "GSquared", RSVP, OODA, MAP, NMVP, FAQ, SAT, SQL, DNA, RNA, UOI, IOU, AM, PM, AD, BC, BCE, USA, UN, CF, ROFL, LOL, ETC
Property of The Thread
"Nobody knows the age of the human race, but everyone agrees it's old enough to know better." - Anon