We all know Stored Procedure are better than having any dynamic SQL Statement, There are times where dynamic SQL Statement is unavoidable. In such cases we can make use of dynamic SQL, there are two options to run dynamic SQL.
EXEC | SP_ExecuteSQL |
Every time the Execution Plan is created for different parameters | Reuses the execution plan |
May introduce SQL injection | Parameters are safe from SQL Injection |
Type casting is required | Type casting not required |
slow as every time the execution plan needs to be created | faster as execution plan is reused. |
Non-parameterized | Parameterized |
Make use of SP_ExecuteSQL over EXEC.
No comments:
Post a Comment