Allowing the information to be passed from the form will likely enable SQL injection.

Using an SP would be more secure, especially as it can use a host variable and avoid dynamic SQL.

