You'd better use the stored procedure
sp_executesql
[
^] to construct and parameterise your SQL statement:
CREATE PROC selectAddressBookInformation
@columnvalue varchar(100),
@searchword varchar(100)
AS
DECLARE @SQLString nvarchar(500);
DECLARE @ParmDefinition nvarchar(500);
SET @SQLString = N'SELECT * FROM STS_ADDRESS_BOOK WHERE @columnname=@searchterm';
SET @ParmDefinition = N'@columnname varchar(100), @searchterm varchar(100)';
EXECUTE sp_executesql @SQLString, @ParmDefinition, @columnname = @columnvalue, @searchterm = @searchword;
You can see that the stored procedure
sp_executesql
needs an SQL statement which is parameterised and the declaration of the parameters (names and types). Then following that comes the definition of said parameters. This is better than trying to construct the SQL by string concatenation for the obvious reasons.
Regards,
— Manfred