Detailed information about security issues related to SQL procedures are discussed in Appendix E, "Security Considerations in SQL Procedures."
When you create an SQL procedure, you may specify CONTAINS SQL, READS SQL DATA, or MODIFIES SQL DATA. The NO SQL clause is not valid for SQL procedures. Refer to Chapter 2, "Basic SQL Procedure Structure," for more information.
A nested SQL procedure will not be allowed to call a target procedure with a higher data access level. For example, an SQL procedure created with READS SQL DATA can call SQL procedures created with either CONTAINS SQL or READS SQL DATA, but cannot call SQL procedures created with MODIFIES SQL DATA.
With this restriction, a user without proper privileges will not be able to obtain access to confidential data, even if he knows the name and signature of the SQL procedure that reads or modifies the data. You may have given access to a staff member to a stored procedure that reads the data. If he or she modifies the read-only stored procedure to call a stored procedure that modifies the data, that person would not be allowed. This would prevent unauthorized data manipulation by calling other stored procedures that can modify data.