How do I prevent the SQL attack - Input parameters in stored procedure

Question

How do I prevent SQL attack in input parameters? Unsafe characters (' ")

I have the following stored procedure:

I would like to protect the inputs - @NICKNAME_USER, @PASSWORD_USER

IF  EXISTS (SELECT * FROM sys.objects WHERE object_id = OBJECT_ID(N'[dbo].[SP_AUTH]') AND type in (N'P', N'PC'))
DROP PROCEDURE [dbo].[SP_AUTH]
GO

CREATE PROCEDURE [dbo].[SP_AUTH]    (@ACTION    INT = NULL,
                                     @NICKNAME_USER VARCHAR(250) = NULL,
                                     @PASSWORD_USER VARCHAR(250) = NULL)
AS
BEGIN TRY
    IF @ACTION = 'L'
         BEGIN

    SELECT  U.ID AS ID_USER, 
            U.NICKNAME AS NICKNAME
            FROM dbo.T_USERS AS U WITH (NOLOCK)
            WHERE U.NICKNAME = @NICKNAME_USER
            AND U.PASSWORD = @PASSWORD_USER
   END
END TRY
BEGIN CATCH

    DECLARE @ErrorMessage NVARCHAR(4000),
            @ErrorSeverity INT,
            @ErrorState INT

    SELECT 
        @ErrorMessage = ERROR_MESSAGE(),
        @ErrorSeverity = ERROR_SEVERITY(),
        @ErrorState = ERROR_STATE();

    RAISERROR (@ErrorMessage, -- Message text.
               @ErrorSeverity, -- Severity.
               @ErrorState -- State.
               );
END CATCH

Answer 1

Just using procedures with parameters will prevent you from sql injection. For further info on msdn is here.