pietlinden (9/23/2013)
Just say NO to dynamic SQL!!! That opens doors to all kinds of REALLY bad things! I should probably go find Kevin Kline's "SQL Server Low-Hanging Fruit" presentation - Wherever possible, you want to us the smallest and most restrictive data type possible in your stored procedures. Dynamic SQL in my opinion is a tool of last resort.
I completely disagree here. Dynamic sql is incredibly powerful and is absolutely the right tool for this type of query. The problem is the approach is completely wrong. This code is wide open to sql injection attack.
_______________________________________________________________
Need help? Help us help you.
Read the article at http://www.sqlservercentral.com/articles/Best+Practices/61537/ for best practices on asking questions.
Need to split a string? Try Jeff Modens splitter http://www.sqlservercentral.com/articles/Tally+Table/72993/.
Cross Tabs and Pivots, Part 1 – Converting Rows to Columns - http://www.sqlservercentral.com/articles/T-SQL/63681/
Cross Tabs and Pivots, Part 2 - Dynamic Cross Tabs - http://www.sqlservercentral.com/articles/Crosstab/65048/
Understanding and Using APPLY (Part 1) - http://www.sqlservercentral.com/articles/APPLY/69953/
Understanding and Using APPLY (Part 2) - http://www.sqlservercentral.com/articles/APPLY/69954/