We all know that a query like this is still vulnerable:
SELECT @sql = @sql + ' ProductName LIKE ''' + @prodname + ''''
What about queries like this:
SELECT id FROM products WHERE name LIKE '%' + @description + '%'
Is the description parameter still vulnerable because it is concatenated, or is it safe because it doesn't have the quotes around it?
Thanks for your help!