As a quickie "solution", for now, something like this:
SET ANSI_NULLS ON;
SET QUOTED_IDENTIFIER ON;
GO
ALTER PROCEDURE <proc_name>
@ID int,
@State varchar(30),
@ColumnName varchar(100),
@NewValue datetime
AS
SET NOCOUNT ON;
IF @State LIKE '%[;]%' OR @ColumnName LIKE '%[;]%' OR @NewValue LIKE '%[;]%'
RETURN -100 /*sql injection attempt!*/
DECLARE @sql varchar(8000)
SET @sql = 'UPDATE [' + @State + '_Fees] SET [' + PARSENAME(@ColumnName, 1) + '] = ''' + @NewValue + ''''
EXEC(@sql)
GO
SQL DBA,SQL Server MVP(07, 08, 09) A socialist is someone who will give you the shirt off *someone else's* back.