• Interesting the idea but I've some point unclear...

    You can do SQL injection using EXEC, but I think there's no injection possibility using the sp_executesql store procedure.

    Is sp_executesql inneficient? Well, it reuses the execution plans because you pass to it the parameters to change.

    Josep.