Alternatively, instead of using a Table-type parameter, you could consider passing the value as a delimited string and then using a string splitter.
Either way, Gail is completely right; parametrise your SQL, or use a Stored Procedure. SQL Injection is never a good thing.
Excuse my typos and sometimes awful grammar. My fingers work faster than my brain does :-P
Please always remember to encapsulate your code in IFCode Markup. For example [code=sql] [/code]
to read Jeffs Guide on how to post SQL questions, and get swift and helpful answers from the community