It was me who has repeatedly told you over the last few days that you need to parameterize your dynamic sql. I have posted the same link to the same article that Gail posted (she is the author of that fantastic piece of work btw). Please take the time to read it. You said you have read it but you keep posting code that is vulnerable to sql injection.
I even showed you a code example of how dangerous injection can be. Do yourself and your company a favor and stop using dynamic sql without parameters.
_______________________________________________________________
Need help? Help us help you.
Read the article at http://www.sqlservercentral.com/articles/Best+Practices/61537/ for best practices on asking questions.
Need to split a string? Try Jeff Modens splitter http://www.sqlservercentral.com/articles/Tally+Table/72993/.
Cross Tabs and Pivots, Part 1 – Converting Rows to Columns - http://www.sqlservercentral.com/articles/T-SQL/63681/
Cross Tabs and Pivots, Part 2 - Dynamic Cross Tabs - http://www.sqlservercentral.com/articles/Crosstab/65048/
Understanding and Using APPLY (Part 1) - http://www.sqlservercentral.com/articles/APPLY/69953/
Understanding and Using APPLY (Part 2) - http://www.sqlservercentral.com/articles/APPLY/69954/