I'm creating a SqlCommand with the name of the stored procedure specified by the user in UserStoredProcedureName using the following code:
new SqlCommand(UserStoredProcedureName, connection)
{ CommandType = CommandType.StoredProcedure }
There is no validation done on the string supplied by the user in UserStoredProcedureName. Is the user only able to specify the name of stored procedures in the database? Is the user able to perform a SQL injection attack by crafting a malicious stored procedure name?
For example:
UserStoredProcedureName = "SELECT * FROM USERS";
You shouldn't let external code supply a stored procedure name. Reasons: the stored procedure could be sp_executesql, which can run anything that you supply as the first pararmeter. It could also be xp_cmdshell or similar.
So: you should still control the input stored procedure name via a white-list. If the name is coming from your own code, it shouldn't be a problem, and it isn't normal to white-list in that scenario.
Note: if a stored procedure internally uses EXEC (@sql) or EXEC sp_executesql @sql, then it can still present a SQL injection attack, depending on whether @sql could contain malicious non-parameterized SQL. Note that sp_executesql is designed to allow you to fully parameterize dynamic SQL, to avoid SQL injection attacks even inside SQL generated inside SQL.