I have read the 4guys articles on sql injection attacks. What is not clear is if I still need to protect from these when my db is ONLY accessed via stored proc's. as an uneducated guess I would imagine they do as even though the proc's provide security they still accept inputs from form fields and utilise SQL select, create, and update statements? I posted this on ASP q and a and was told to ask for opinions here. And I am not sure whether the stored proc's use EXEC or not as my DBA is not with me right now.