HI
I did not try your example per se, because it use string concatenation with the @table or @col outside of quotes.
This will lead to sql injection. What i was looking for was an
example where the string looks like ' select @col from @table' all inside the quotes and then @col and @table are passed as variables to the sp_executesql stored procedure.
I never got it to work, but my app isn't a web app, so sql injection is not a big deal. I just wanted to code it securely anyways.