You can pass parameters to and from sp_executesql. See: https://msdn.microsoft.com/en-us/library/ms188001.aspx
Gail Shaw
Microsoft Certified Master: SQL Server, MVP, M.Sc (Comp Sci)
SQL In The Wild: Discussions on DB performance with occasional diversions into recoverability