Concatenation in query

Hi all,

I am using concatenation in Query in Sql Server like,

Select Column1 + ' bla bla ' + Column2 as MyColumn from MyTable

So, here any secruity issure occur or not... because some one tell to me.. d'not use Concetenation in query bcz it is not secure, worst in performance and helpfull in SQL injection......
any idea about that ??

Thanks
Sajjadno security issue, performance is fine, and sql injection is irrelevant

:)|||thanx ;)
plz tell me about sql injection|||you may find out more about sql injection here (http://google.ca/search?q=sql+injection)|||...sql injection is irrelevantCare to elaborate?|||irrelevant in the context of the given question

there's no way that this --Select Column1 + ' bla bla ' + Column2 as MyColumn from MyTablewill pose an sql injection threat, since the values are already in the table

i usually try to restrict myself to answering questions always within the context of the question -- for example, replication and backup are irrelevant here, too|||Depends upon whether 'blah blah' is passed as a variable.|||' bla bla ' is a constant string in this context, isn't it

:)|||I think it is unclear from his original post, which is why I was concerned that your response would be misconstrued.

Hard-coded dynamic sql = Injection free.
Concatenated parameters = Injection warning.|||ooh, i like it when you get concerned -- don't stop ;)

you are right, sql injection is serious business, and perhaps it's a good idea to mention it in every situation where it might poke its ugly little snoot|||thanx for all :)