SQL injection attacks may lead to data theft, content destruction, even database crash. Many defense mechanisms have been proposed to resolve explicit SQL injection attacks, where the attacks take advantage of the web application programs. However, defense against SQL injection attacks aiming at stored procedures provided by supporting database system have not been successfully addressed. In this study, we extend the input legitimacy validation method to SQL injection attack on stored procedures. Besides the web application program, the statics analysis is also performed on the stored procedures provided by database system to obtain knowledge on the relationships between user input parameters and the stored procedures. During on-line dynamic analysis phase, input parameters are verified according to the previously derived knowledge. If a potential SQL injection attack is detected, the user request will be rejected before forwarding to the web application programs. The proposed enhancement to the original method provides a more comprehensive defense on SQL injection attacks. Our method is transparent to users and web application program designers. It provides effective defense with no need to rewrite application programs.