>>>>>>I don't understand why my code isn't working as I use the identical technique in another SP and it works wonderfully
>>>>>
>>>>>But this works:
>>>>>
>>>>>DECLARE @Test TABLE (Fld1 NVARCHAR(50))
>>>>>INSERT INTO @Test VALUES ('WLIF20120047')
>>>>>DECLARE @LikePerc nvarchar(50)
>>>>>DECLARE @LikeWoPerc nvarchar(50)
>>>>>SET @LikePerc = 'WLIF20120047%'
>>>>>SET @LikeWoPerc = 'WLIF20120047'
>>>>>SELECT * FROM @Test WHERE Fld1 LIKE @LikePerc
>>>>>SELECT * FROM @Test WHERE Fld1 LIKE @LikeWoPerc
>>>>>
>>>>
>>>>So Boris,
>>>>
>>>>are you telling me to always add the % on at the end of the string I pass?
>>>
>>>Yes (of course when you use LIKE operator :-)).
>>
>>But when I run your sample code I get results for both SELECTs, so I don't need the % to get the correct result.
>>
>>Somebody has indicated that my type of code is susceptible to SQL Injection. I thought the use of Parameters made that impossible. What do you say?
>
>You get results with both because Fld1 is nvarchar and it is clear at the end. If you have some spaces at the end you will not get the result.
>
>DECLARE @Test TABLE (Fld1 NVARCHAR(50))
>INSERT INTO @Test VALUES ('WLIF20120047 ')
>DECLARE @LikePerc nvarchar(50)
>DECLARE @LikeWoPerc nvarchar(50)
>SET @LikePerc = 'WLIF20120047%'
>SET @LikeWoPerc = 'WLIF20120047'
>SELECT * FROM @Test WHERE Fld1 LIKE @LikePerc
>SELECT * FROM @Test WHERE Fld1 LIKE @LikeWoPerc
>
>
>Yes, Parameters made Injections more or less impossible.
Which one is it? It's either possible or impossible.