Quote Originally Posted by si_the_geek View Post
While Parameters are certainly a very good idea in any situation (including this one), they don't need to exclude string building in general - arguably the best way to deal with this situation is to build the conditions in the string (with placeholders for the parameters), and then add the actual values with Parameters.
That's a very good point. I said:
Never use string concatenation to build SQL statements
when what I really meant was never use string concatenation to insert literal column values. I've posted some code in the CodeBank that builds up a SQL statement using concatenation but still uses parameters to create an IN clause.