>declare @cSecondDb as Varchar(100) >DECLARE @sql nvarchar(200) >declare @Category as Varchar(25); >set @Category = '1009F' >set @cSecondDb = 'SecondSQLDatabase' >SET @sql = 'select * from '+@cSecondDb+'..mytable where Category = @Category' >EXEC sp_executesql @sql, N'@Category varchar(25)', @Category = @Category >That's a very good point. I've always been wondering about SQL injections in T-SQL. I usually have this protected in the .NET code with parameterized syntax. But, in T-SQL, the sp_executesql would be better to use. Thanks