if (type != "F") search_qry = new System.Text.StringBuilder(); if (Util.ContainsTelephone(SearchExpr)) { string PhoneNumber = Util.ExtractTeleNum(SearchExpr), PhoneSearch; PhoneSearch = PhoneNumber.Replace("-", "").Replace(" ", "").Replace(".", "").Replace("(", "").Replace(")", ""); search_qry.AppendFormat("AND (Replace(Replace(Replace(Replace(Replace(HomePhone, ' ', ''),'-',''),'.',''),'(',''),')', '') " + "LIKE '%{0}%' OR Replace(Replace(Replace(Replace(Replace(CellPhone, ' ', ''),'-',''),'.',''),'(',''),')', '') LIKE '%{0}%') ", PhoneSearch); SearchExpr = SearchExpr.Replace(PhoneNumber, " "); } string[] words = SearchExpr.Split(splitter); // Injection attack foreach (string word in words) { if (Util.IsNumeric(word)) { search_qry.Append("AND (Zip LIKE'" + word + "%'OR Address1 LIKE'" + word + "%' OR Address2 LIKE'" + word + "%')"); } else { search_qry.Append("AND (LastName LIKE'" + word + "%' OR FirstName LIKE'" + word + "%' OR Address1 LIKE'" + word + "%' OR Address2 LIKE'" + word + "%' OR City LIKE'" + word + "%' OR State LIKE'" + word + "%' OR Email LIKE'" + word + "%' OR UserName LIKE'" + word + "%' OR CellPhone LIKE'" + word + "%' OR ScreenName LIKE'" + word + "%' OR MiddleName LIKE'" + word + "%')"); } } qry_s = search_qry.ToString();I'm thinking how can I switch from this code to an SP? Perhaps I just need to create, say, 4 parameters for possible words and then in that code just set parameters?