Agreed, but the values that can be selected for both the variables (which are given meaningful names for the purpose of display) and the selection values are table driven and are validated. The only way that SQL injection could occur is if the DBA did it himself.
- Steve Houghton likes this