Please don't ever do that. There's a critical security flaw in your code (SQL Injection). NEVER concatenate parameters into a string and execute the string.
Have a look at table-type parameters to pass multiple values to a stored procdure.
Gail Shaw
Microsoft Certified Master: SQL Server, MVP, M.Sc (Comp Sci)
SQL In The Wild: Discussions on DB performance with occasional diversions into recoverability