Thanks for the input guys! 😀
@Eugene
That is not dynamic SQL...
I know. I was just demonstrating Jeffs suggestion of checking for a valid object and stopping if it isn't valid.
So far as SQL injection goes, your code is wide open for it the way @DBName is currently used. The best way around it is to check that the content of @DBName actually exists in sys.databases or throw a fatal error.
Thanks for the injection example!!
Time to test some of my apps and SPs! 😛