fireball (fi******@onet.kropka.eu) writes:
please, in simple words, what is difference between :
sp_executesql
and
EXECUTE
sp_executesql gives you the possibility to use parameterised statements,
EXEC() does not. Parameterised statements have two important advantages:
o No risk for SQL injection.
o Better plan reuse in the plan cache.
For more details on this point, I have an article on my web site that
goes into detail on dynamic SQL,
http://www.sommarskog.se/dynamic_sql.html.
--
Erland Sommarskog, SQL Server MVP,
es****@sommarskog.se
Books Online for SQL Server 2005 at
http://www.microsoft.com/technet/pro...ads/books.mspx
Books Online for SQL Server 2000 at
http://www.microsoft.com/sql/prodinf...ons/books.mspx