Annee (8/6/2013)
Thanks for the quick response and the solution, had to modify it slightly as below:
CREATE PROCEDURE [dbo].[pr_GetVendorInfo]
(
@ClientName nVarChar(15),
@VendorName nVarChar(40),
@InvoiceType nVarChar(30)
)
AS
declare @SQL nvarchar(2000)
set @SQL = 'SELECT COUNT(*) FROM AgencySupplierPartner '
+ ' WHERE ClientName = '''+@ClientName+''' AND VendorName = '''+@VendorName +''''
if @InvoiceType = 'AcceptStandard'
set @SQL = @SQL + ' AND AcceptStandard = ''true'''
if @InvoiceType = 'AcceptSummary'
set @SQL = @SQL + ' AND AcceptSummary = ''true'''
print @SQL
exec sp_executesql @SQL
You need to look closely at the dynamic sql I wrote. You removed the parameterization and this is wide open to sql injection attack.
Consider what would happen if somebody passed in for @VendorName
''; drop table AgencySupplierPartner;--
NEVEN NEVER NEVER execute a dynamic sql string with parameters unless the dynamic is parameterized.
_______________________________________________________________
Need help? Help us help you.
Read the article at http://www.sqlservercentral.com/articles/Best+Practices/61537/ for best practices on asking questions.
Need to split a string? Try Jeff Modens splitter http://www.sqlservercentral.com/articles/Tally+Table/72993/.
Cross Tabs and Pivots, Part 1 – Converting Rows to Columns - http://www.sqlservercentral.com/articles/T-SQL/63681/
Cross Tabs and Pivots, Part 2 - Dynamic Cross Tabs - http://www.sqlservercentral.com/articles/Crosstab/65048/
Understanding and Using APPLY (Part 1) - http://www.sqlservercentral.com/articles/APPLY/69953/
Understanding and Using APPLY (Part 2) - http://www.sqlservercentral.com/articles/APPLY/69954/