I am referring OWASP for SQL injection prevention and have two queries,
(1) Whats is "embedded parameters" related to parameterized stored procedures? - I couldn't find any difference between parameters and embedded parameters.
(2) Which one is better -
(a) Parametrized stored procedures with the principle of least privilege //Clubbing additional defense & high priority defense
(b) Parameterized stored procedures with the embedded parameters
- I think option (a) depends on the policy where you use stored procedures everywhere, so unless specified option (b) is more correct.
I don't see the word embedded parameters on that page. Do you have a link/quote that references them? (I'm not sure what the term refers to. It might be concatenating parameters with SQL which is bad. But I'm not sure that is what you mean.)
The premise of your question seems to be to use stored procedures. While stored procs can add additional security, that is not directly related to SQL injection. Using prepared statements (in raw SQL queries) already takes care of that without the use of stored procs (which do have drawbacks as well as benefits).
The solution to stop SQL Injection is to use PARAMETERIZED QUERIES. Also consider very good input validation, but Parameterized Queries is the most important technique. You need to do parameterization:
1) For SQL creation
2) When calling a stored procedure
3) Inside the stored procedure itself