Dynamic SQL for Parameterized Queries
Parameterized queries in Dynamic SQL is a method of building a SQL Query with parameters and this helps avoid security issues.
Declare @sqlquery nvarchar(1000),@sqlGrade char(1)
Set @sqlquery='Select * from Students where Grade=@eGrade'
Set @sqlGrade='B'
EXEC sp_executesql @sqlquery, N'@eGrade char(1)', @eGrade =@sqlGrade
Here the 'Grade' value is passed as parameter while executing the dynamic sql statement.
Ouput:
Dynamic SQL in SQL Server
In SQL Server, at times the SQL Queries need to be dynamic and not static, meaning the complete SQL query may be built dynamically at run time as a string using the user inputs and any specific application logic. This can be done in queries run from back-end applications or inside stored procedures. In this article let us look into the details about how to create a dynamic SQL and its uses and also what are the security issues that may arise and how to handle those security issues.
Contact Us