Executing dynamic SQL with sp_executesql

SQL Server lets you execute dynamic SQL with the EXEC command. However, if you’re accepting any user input as part of the query, you’ll be subject to SQL injection attacks.

The system proc sp_executesql gives you the ability to build a parameterized statement dynamically, and execute it, passing in the parameter values. As long as you’re building the query safely, you won’t be subject to SQL injection.
View code on GitHub

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s