pietlinden (9/23/2013)

---

Just say NO to dynamic SQL!!! That opens doors to all kinds of REALLY bad things! I should probably go find Kevin Kline's "SQL Server Low-Hanging Fruit" presentation - Wherever possible, you want to us the smallest and most restrictive data type possible in your stored procedures. Dynamic SQL in my opinion is a tool of last resort.

What if you have a simple stored procedure like you have with huge parameters and someone passes "; INSERT INTO..." and then mails himself the results using DBMail? You're in serious trouble. Not good at all.

I would suggest a more more restrictive approach. Gender can be (usually) one of 3 options: M, F, nknown/Null. So make the field a CHAR, and then it's impossible to stuff any junk in there that doesn't belong.