Parameterizing Dynamic SQL statements
The prior post in this series was able to fix a parameterization issue by removing dynamic SQL and replacing it with a traditional SQL statement. But sometimes that can’t be done because dynamic SQL is a requirement. In that case the dynamic statement can still be parameterized using 2 optional parameters to the procedure sp_ExecuteSQL. The first parameter of sp_ExecuteSQL is the only required parameter and contains the SQL statement to be executed. What is less known is that this statement can reference variable names. By using variable names instead of hard coded values the query execution plan used by that SQL statement is more likelyRead More →