Mike,
Dynamic SQL isn't any more susceptible to Injection attacks than Store Procedures. You can call a stored procedures with literal parameters just as easily as you can a dynamic SQL statement <g>...
There's no perf advantage to store procs in SQL 2000 or 2005, but there's more administrative control and some people like to centralize the data logic on the server.
I love to have people who are hell bent on stored procedures try to justify it and come up with all sorts of non-issues <g>...
+++ Rick ---
>Hi Kevin
>
>>
The VFP app is using VFP as the backend. We have tons of data and are moving to SQL. His argument is that since we are not using VFP for the backend, why use it at all. We also don't have very many VFP developers here. We have several people that know C#.NET >>
>>OK, that helps. Next set of questions....
>>
>>- You say your VFP app is using a VFP database. How were you doing your data access in your VFP app? Remote views, stored procs, pass-thru, etc. Most (not all, but most) people using .NET and SQL Server utilize stored procedures. So you'll need to account for that type of effort. Is your VFP app a desktop app, LAN app, client server app, etc.? (or maybe a better question...is it structured towards a certain architecture?)
>>
>
>Why do people use stored procedures? Based on the huge fights I've seen, I wouldn't say most people, either. With .Net you can send parameters. Personally, I want to give the users more control over the queries. Injection attacks can't happen with adhoc parameterized sql, can they?
>
>Bear in mind, I'm a .net newbie, but I believe I understand the concept. If I use a stored procedure to assemble an sql command I open myself to injection too.