RE: sp_executesql dynamic columns in select statement

SSCoach

Points: 18768

November 23, 2010 at 8:43 am

The sp_executesql procedure works like a dynamic SP so you can only pass values, and not object names, as parameters.

To guard against SQL injection you can validate column names against INFORMATION_SCHEMA.COLUMNS and table names against INFORMATION_SCHEMA.TABLES.