I agree with Gail here. Passing TSQL through as input is just asking for trouble.
Better would be to move the code into a procedure something like this:
OLD METHOD
Exec proce_Name 'update table set column=''TEST'' where id=1'
NEW METHOD
EXEC dbo.SampleFoo 'MyTable','MyColumn',1,'TEST','UPDATE'
CREATE PROCEDURE dbo.SampleFoo
@TableName SYSNAME
,@ColumnName SYSNAME
,@ID INT
,@NewValue VARCHAR(50)
,@ActionType VARCHAR(50)
AS
BEGIN
SET NOCOUNT ON
DECLARE @strSQL NVARCHAR(4000)
IF @ActionType = 'UPDATE'
BEGIN
SET @strSQL =
@ActionType + ' '
+ @TableName
+ ' SET '
+ @ColumnName + ' = ''' + @NewValue + ''
+ 'WHERE ID = ' + @ID
EXEC sp_executeSQL @strSQL
END
ELSE IF @ActionType = 'INSERT'
BEGIN
SET @strSQL =
@ActionType + ' INTO ' + @Tablename +
+ '(' + @ColumnName + ')'
+ VALUES +
+ '(' + @NewValue + ')'
EXEC sp_executeSQL @strSQL
SELECT @ID = SCOPE_IDENTITY() --this gets the new ID after insertion
END