What you are asking is possible through the blessing and curse of dynamic sql. before you start in on dynamic sql have a read through this as it has a detailed section on SQL Injection risks when using dynamic sql along with a good primer on dynamic sql.
http://www.sommarskog.se/dynamic_sql.html
For performance Issues see how we like them posted here: How to Post Performance Problems - Gail Shaw[/url]
Need to Split some strings? Jeff Moden's DelimitedSplit8K[/url]
Jeff Moden's Cross tab and Pivots Part 1[/url]
Jeff Moden's Cross tab and Pivots Part 2[/url]