I was in dilemma in these days because our website has been attacked by SQL Injection Attacks by the way of using store procedure command in URL variable. Finally, I can prevent this one cannot attack to our site by using like that anymore. The one use following store procedure command the after "?" of your website URL.
SET @S=CAST(0x4400450043004C00 ... 6F007200 AS NVARCHAR(4000))
DECLARE @S VARCHAR(4000)
SET @S=CAST(0x4445434C41524520 ... 736F7220 AS VARCHAR(4000))
DECLARE @S CHAR(4000)
SET @S=CAST(0x4445434C41524520 ... 736F7220 AS CHAR(4000))
DECLARE @S NVARCHAR(4000)