And #29 Avoid Dynamic SQL.

Dynamic SQL is a tool.  If used appropriately it is good, but used inappropriately it is evil.  There are times that using dynamic SQL is necessary.  When using dynamic SQL be sure to code defensively to avoid SQL injection.  Use EXEC sp_executesql so you can also send appropriate data as variables to dynamic SQL where this makes sense.  Also TVP make sense in this case as well to send multiple values where needed.