• I agree with Gail here. Passing TSQL through as input is just asking for trouble.

    Better would be to move the code into a procedure something like this:

    OLD METHOD

    Exec proce_Name 'update table set column=''TEST'' where id=1'

    NEW METHOD

    EXEC dbo.SampleFoo 'MyTable','MyColumn',1,'TEST','UPDATE'

    CREATE PROCEDURE dbo.SampleFoo

    @TableName SYSNAME

    ,@ColumnName SYSNAME

    ,@ID INT

    ,@NewValue VARCHAR(50)

    ,@ActionType VARCHAR(50)

    AS

    BEGIN

    SET NOCOUNT ON

    DECLARE @strSQL NVARCHAR(4000)

    IF @ActionType = 'UPDATE'

    BEGIN

    SET @strSQL =

    @ActionType + ' '

    + @TableName

    + ' SET '

    + @ColumnName + ' = ''' + @NewValue + ''

    + 'WHERE ID = ' + @ID

    EXEC sp_executeSQL @strSQL

    END

    ELSE IF @ActionType = 'INSERT'

    BEGIN

    SET @strSQL =

    @ActionType + ' INTO ' + @Tablename +

    + '(' + @ColumnName + ')'

    + VALUES +

    + '(' + @NewValue + ')'

    EXEC sp_executeSQL @strSQL

    SELECT @ID = SCOPE_IDENTITY() --this gets the new ID after insertion

    END