>>Look at SQLEXEC() function. >> >>Also, it's bad practice to embed parameters into your sql query. It opens you up to SQL injection attacks. > >http://xkcd.com/327/
I have always loved this XKCD.
Technically he's wrong. He should say parameterize but sanitize fits in the space better :)