I used in clause but give type conversion error

Question

I used a dynamic sql query and prevent sql injection i want used ( @clientIds ) instead of ('+@clientIds+' )

GO
SET ANSI_NULLS ON
GO
SET QUOTED_IDENTIFIER ON
GO
--exec test '1,2'
Alter PROCEDURE [dbo].[test]
    @clientIds varchar(Max)
AS
BEGIN
    DECLARE @sSQL  nvarchar(max);
    DECLARE @params NVARCHAR(MAX);
    Select @sSQL=N'select * from tblClient WITH (NOLOCK) Where clientID in ( @clientIds )'
    SET @params = N'@clientIds NVARCHAR(50)';
    EXECUTE sp_executesql @sSQL, @params, @clientIds;
END

Answer 1

Your SP can be like

Alter PROCEDURE [dbo].[test]
    @clientIds varchar(Max)
AS
    SET NOCOUNT ON;

    DECLARE @SQL  NVARCH(max) = N'SELECT * FROM [tblClient] WHERE [clientID] IN(' + @clientIds + N');';

    EXECUTE sp_executesql @SQL;

But, that won't prevent SQL Injection as it may be in the parameter '1,2;DELETE * FROM tblClient;.

I would use a Table-Valued Parameter instead as

CREATE TYPE MyType AS TABLE (Id INT);

Alter PROCEDURE [dbo].[test]
  @IDs MyType READONLY
AS
    SET NOCOUNT ON;

    SELECT *
    FROM [tblClient] 
    WHERE [clientID] IN(SELECT Id FROM @IDs);

OR

Alter PROCEDURE [dbo].[test]
  @IDs MyType READONLY
AS
    SET NOCOUNT ON;

    SELECT C.*
    FROM [tblClient] C INNER JOIN @IDs Ids
    ON C.clientID = Ids.Id;

Also, check out my answer here for a situation like yours.