Feb 10, 2019 08:56 AM|DA924|LINK
You'll want to prevent SQL injection attacks.
The way you prevent the attack is to use parametrized T-SQL.
Also in using parametrized T-SQL, it prevents malformed T-SQL, becuase of the way you are formulating the T-SQL with adding of parms in the T-SQL statement. What if one of the parm's data had a single-quote, an escape sequence in T-SQL, in the data? It
would cause the T-SQL to be malformed and not work, becuase of the way you are formulating the T-SQL and not dealing with a single-quote coming in the text data..
It's just FYI below, but what you are doing to formulate the T-SQL, you are wide open to a SQL Injection attack.