Procedure to safely execute an SQL select statement

The procedure casts the string to lowercase (this could affect some search statements) It rejects strings continuing semicolons; It then discards duplicate blanks, xp_, sp_, fn_, and ms_ substrings. we are guarding aginst things like 'select dbo.xp_cmdshell('format c');' Then, if the 'limit' parameter is > 0 (true), we insist that the statement have a top x in it for x < 1000, or we add a TOP 1000 clause. Once the SELECT statement is transformed, it is executed and returns the answer set or an error message.
All the SQL statements are journaled into WebLog.dbo.SQLlog. EXEC dbo.spExecuteSQL('Select count(*) from PhotoObj')

Input and output parameters