>>You can create the SQL in a stored procedure like that, but since you're going to call sp_ExecuteSQL you still have to watch out for SQL Injection attacks. I just finished an article for FPA on the proper way to prevent them. Keep an eye out for it.
>
>
>Good point. Had thought of that but in this case there is very low risk as it is in an Intranet and this particular function is only used by Admins to create some info for users to see.

I like consistency. I outline a technique in that article which can be used everytime. Now when I don't use it, my skin crawls. :)