how to use sql injection in stored procedure