Dynamic SQL - EXEC(@SQL) versus EXEC SP_EXECUTESQL(@SQL)

Asked 13/2, 2009 at 23:25 Answered 6/1, 2014 at 12:0

105

What are the real world pros and cons of executing a dynamic SQL command in a stored procedure in SQL Server using

EXEC (@SQL)

versus

EXEC SP_EXECUTESQL @SQL

Cletacleti answered 13/2, 2009 at 23:25 Comment(0)

102

sp_executesql is more likely to promote query plan reuse. When using sp_executesql, parameters are explicitly identified in the calling signature. This excellent article descibes this process.

The oft cited reference for many aspects of dynamic sql is Erland Sommarskog's must read: "The Curse and Blessings of Dynamic SQL".

Care answered 13/2, 2009 at 23:29 Comment(1)

Please can you add reason why sp_executesql allows query plan re-use where as exec does not? – Katheleenkatherin 25/11, 2021 at 14:52

The big thing about SP_EXECUTESQL is that it allows you to create parameterized queries which is very good if you care about SQL injection.

Newark answered 13/2, 2009 at 23:28 Comment(2)

I don't think you can parameteize a dynamic sql without it?? – Newark 15/2, 2009 at 0:34

Absolutely one of the biggest reasons to use sp_executesql if building the query dynamically to prevent sql injection. – Noctiluca 16/3, 2011 at 18:50

Microsoft's Using sp_executesql article recommends using sp_executesql instead of execute statement.

Because this stored procedure supports parameter substitution, sp_executesql is more versatile than EXECUTE; and because sp_executesql generates execution plans that are more likely to be reused by SQL Server, sp_executesql is more efficient than EXECUTE.

So, the take away: Do not use execute statement. Use sp_executesql.

Shimberg answered 17/6, 2013 at 9:25 Comment(3)

Your takeaway does not stand always. There are occasions when there is no efficiency bonus by using sp_executesql, but you can protect your code from sql injection attack. Sometimes you just can't use sp_executesql the way you can use exec, so... someone said - there is no silver bullet. I agree. – Tunesmith 17/6, 2013 at 9:45

Yes, Microsoft should have put it as "more likely to be efficient". And being in the industry for some years, I have seen cases where sp_executesql cannot be used to replace execute. Perhaps I should put the point I am trying to stress as: Use sp_executesql instead of execute whenever possible. – Shimberg 17/6, 2013 at 17:0

Please can you add reason why sp_executesql allows query plan re-use where as exec does not? – Katheleenkatherin 25/11, 2021 at 14:52

I would always use sp_executesql these days, all it really is is a wrapper for EXEC which handles parameters & variables.

However do not forget about OPTION RECOMPILE when tuning queries on very large databases, especially where you have data spanned over more than one database and are using a CONSTRAINT to limit index scans.

Unless you use OPTION RECOMPILE, SQL server will attempt to create a "one size fits all" execution plan for your query, and will run a full index scan each time it is run.

This is much less efficient than a seek, and means it is potentially scanning entire indexes which are constrained to ranges which you are not even querying :@

Vociferation answered 6/1, 2014 at 12:0 Comment(0)

-2

Declare the variable
Set it by your command and add dynamic parts like use parameter values of sp(here @IsMonday and @IsTuesday are sp params)

execute the command

declare  @sql varchar (100)
set @sql ='select * from #td1'

if (@IsMonday+@IsTuesday !='')
begin
set @sql= @sql+' where PickupDay in ('''+@IsMonday+''','''+@IsTuesday+''' )'
end
exec( @sql)

Valdis answered 19/11, 2012 at 11:37 Comment(3)

This is open to SQL injection, if you put e.g. "a';DROP DATABASE DATABASE_NAME; GO;';" in the @IsMonday variable – Trisect 21/5, 2013 at 11:14

is it prone to sql injuction if @IsMonday is int ? – Grandmotherly 8/10, 2018 at 11:25

@VikasRana @IsMonday cannot be int in dynamic SQL. Note that @sql is declared as varchar or nvarchar – Prieto 10/7, 2020 at 2:22

Recommended topics

Hot tags