SQL Server lets you execute dynamic SQL with the EXEC command. However, if you're accepting any user input as part of the query, you'll be subject to SQL injection attacks.

The system proc sp_executesql gives you the ability to build a parameterized statement dynamically, and execute it, passing in the parameter values. As long as you're building the query safely, you won't be subject to SQL injection.

View code on GitHub


Popular posts from this blog

DotNet CLI

Switch Expressions

Nullable reference types