>>>>>>>I don't understand why my code isn't working as I use the identical technique in another SP and it works wonderfully
>>>>>>
>>>>>>But this works:
>>>>>>

>>>>>>DECLARE @Test TABLE (Fld1 NVARCHAR(50))
>>>>>>INSERT INTO @Test VALUES ('WLIF20120047')
>>>>>>DECLARE @LikePerc nvarchar(50)
>>>>>>DECLARE @LikeWoPerc nvarchar(50)
>>>>>>SET @LikePerc = 'WLIF20120047%'
>>>>>>SET @LikeWoPerc = 'WLIF20120047'
>>>>>>SELECT * FROM @Test WHERE Fld1 LIKE @LikePerc
>>>>>>SELECT * FROM @Test WHERE Fld1 LIKE @LikeWoPerc
>>>>>>

>>>>>
>>>>>So Boris,
>>>>>
>>>>>are you telling me to always add the % on at the end of the string I pass?
>>>>
>>>>Yes (of course when you use LIKE operator :-)).
>>>
>>>But when I run your sample code I get results for both SELECTs, so I don't need the % to get the correct result.
>>>
>>>Somebody has indicated that my type of code is susceptible to SQL Injection. I thought the use of Parameters made that impossible. What do you say?
>>
>>You get results with both because Fld1 is nvarchar and it is clear at the end. If you have some spaces at the end you will not get the result.
>>

>>DECLARE @Test TABLE (Fld1 NVARCHAR(50))
>>INSERT INTO @Test VALUES ('WLIF20120047                                                      ')
>>DECLARE @LikePerc nvarchar(50)
>>DECLARE @LikeWoPerc nvarchar(50)
>>SET @LikePerc = 'WLIF20120047%'
>>SET @LikeWoPerc = 'WLIF20120047'
>>SELECT * FROM @Test WHERE Fld1 LIKE @LikePerc
>>SELECT * FROM @Test WHERE Fld1 LIKE @LikeWoPerc
>>

>>
>>Yes, Parameters made Injections more or less impossible.
>
>Which one is it? It's either possible or impossible.

When you use Parameters the provider use
EXEC sp_executesql ... SP and pass parameters to it. Than makes injections almost impossible.
I didn't say that it is impossible because I don't know how sp_executesql works (it is a DLL procedure not T-SQL one) and maybe somewhere someone knows how to trick it :-)