>>>>>>>>I don't understand why my code isn't working as I use the identical technique in another SP and it works wonderfully
>>>>>>>
>>>>>>>But this works:
>>>>>>>

>>>>>>>DECLARE @Test TABLE (Fld1 NVARCHAR(50))
>>>>>>>INSERT INTO @Test VALUES ('WLIF20120047')
>>>>>>>DECLARE @LikePerc nvarchar(50)
>>>>>>>DECLARE @LikeWoPerc nvarchar(50)
>>>>>>>SET @LikePerc = 'WLIF20120047%'
>>>>>>>SET @LikeWoPerc = 'WLIF20120047'
>>>>>>>SELECT * FROM @Test WHERE Fld1 LIKE @LikePerc
>>>>>>>SELECT * FROM @Test WHERE Fld1 LIKE @LikeWoPerc
>>>>>>>

>>>>>>
>>>>>>So Boris,
>>>>>>
>>>>>>are you telling me to always add the % on at the end of the string I pass?
>>>>>
>>>>>Yes (of course when you use LIKE operator :-)).
>>>>
>>>>But when I run your sample code I get results for both SELECTs, so I don't need the % to get the correct result.
>>>>
>>>>Somebody has indicated that my type of code is susceptible to SQL Injection. I thought the use of Parameters made that impossible. What do you say?
>>>
>>>You get results with both because Fld1 is nvarchar and it is clear at the end. If you have some spaces at the end you will not get the result.
>>>

>>>DECLARE @Test TABLE (Fld1 NVARCHAR(50))
>>>INSERT INTO @Test VALUES ('WLIF20120047                                                      ')
>>>DECLARE @LikePerc nvarchar(50)
>>>DECLARE @LikeWoPerc nvarchar(50)
>>>SET @LikePerc = 'WLIF20120047%'
>>>SET @LikeWoPerc = 'WLIF20120047'
>>>SELECT * FROM @Test WHERE Fld1 LIKE @LikePerc
>>>SELECT * FROM @Test WHERE Fld1 LIKE @LikeWoPerc
>>>

>>>
>>>Yes, Parameters made Injections more or less impossible.
>>
>>Which one is it? It's either possible or impossible.
>
>When you use Parameters the provider use
>EXEC sp_executesql ... SP and pass parameters to it. Than makes injections almost impossible.
>I didn't say that it is impossible because I don't know how sp_executesql works (it is a DLL procedure not T-SQL one) and maybe somewhere someone knows how to trick it :-)

Thanks Boris