>>>>Look at SQLEXEC() function.
>>>>
>>>>Also, it's bad practice to embed parameters into your sql query. It opens you up to SQL injection attacks.
>>>
>>>
http://xkcd.com/327/>>
>>I have always loved this XKCD.
>>
>>Technically he's wrong. He should say parameterize but sanitize fits in the space better :)
>>
>>
http://select-into.blogspot.com/2011/01/little-bobby-tables.html>
>Thanks for the link - that's the most concise explanation of strategies for migitation of SQL Injection I've ever seen.
A friend of my son actually managed to get a company registered with a name which was created with sql injection in mind, as a joke.
http://mrbadak.com/2009/04/24/sql-injection-fail/