Listing 2: Procedure usp_getorders including Input Validation
IF OBJECT_ID('dbo.usp_getorders', 'P') IS NOT NULL
  DROP PROC dbo.usp_getorders;
GO
CREATE PROC dbo.usp_getorders(@arr AS NVARCHAR(2000))
AS

IF @arr LIKE N'%[^0-9,]%'
BEGIN
  RAISERROR('Input may contain SQL injection. Procedure aborted.', 16, 1);
  RETURN;
END

DECLARE @sql AS NVARCHAR(2300);

SET @sql = N'SELECT OrderID, OrderDate, CustomerID, EmployeeID
FROM dbo.Orders
WHERE OrderID IN(' + @arr + N');';

EXEC sp_executesql @sql;
GO

EXEC dbo.usp_getorders N'0); PRINT ''This could have been much worse than a PRINT statement.''; --';