Dynamic SQL - EXEC(@SQL) versus EXEC SP_EXECUTESQL(@SQL)

sql sql-server dynamic
213,153

Solution 1

sp_executesql is more likely to promote query plan reuse. When using sp_executesql, parameters are explicitly identified in the calling signature. This excellent article descibes this process.

The oft cited reference for many aspects of dynamic sql is Erland Sommarskog's must read: "The Curse and Blessings of Dynamic SQL".

Solution 2

The big thing about SP_EXECUTESQL is that it allows you to create parameterized queries which is very good if you care about SQL injection.

Solution 3

Microsoft's Using sp_executesql article recommends using sp_executesql instead of execute statement.

Because this stored procedure supports parameter substitution, sp_executesql is more versatile than EXECUTE; and because sp_executesql generates execution plans that are more likely to be reused by SQL Server, sp_executesql is more efficient than EXECUTE.

So, the take away: Do not use execute statement. Use sp_executesql.

Solution 4

I would always use sp_executesql these days, all it really is is a wrapper for EXEC which handles parameters & variables.

However do not forget about OPTION RECOMPILE when tuning queries on very large databases, especially where you have data spanned over more than one database and are using a CONSTRAINT to limit index scans.

Unless you use OPTION RECOMPILE, SQL server will attempt to create a "one size fits all" execution plan for your query, and will run a full index scan each time it is run.

This is much less efficient than a seek, and means it is potentially scanning entire indexes which are constrained to ranges which you are not even querying :@

Share:
213,153

Related videos on Youtube

Ash Machine
Author by

Ash Machine

Updated on April 16, 2020

Comments

  • Ash Machine
    Ash Machine about 4 years

    What are the real world pros and cons of executing a dynamic SQL command in a stored procedure in SQL Server using

    EXEC (@SQL)

    versus

    EXEC SP_EXECUTESQL @SQL

    ?

  • Steven Rogers
    Steven Rogers over 13 years
    Absolutely one of the biggest reasons to use sp_executesql if building the query dynamically to prevent sql injection.
  • Erik A. Brandstadmoen
    Erik A. Brandstadmoen about 11 years
    This is open to SQL injection, if you put e.g. "a';DROP DATABASE DATABASE_NAME; GO;';" in the @IsMonday variable
  • OzrenTkalcecKrznaric
    OzrenTkalcecKrznaric about 11 years
    Your takeaway does not stand always. There are occasions when there is no efficiency bonus by using sp_executesql, but you can protect your code from sql injection attack. Sometimes you just can't use sp_executesql the way you can use exec, so... someone said - there is no silver bullet. I agree.
  • Gan
    Gan about 11 years
    Yes, Microsoft should have put it as "more likely to be efficient". And being in the industry for some years, I have seen cases where sp_executesql cannot be used to replace execute. Perhaps I should put the point I am trying to stress as: Use sp_executesql instead of execute whenever possible.
  • Vikas Rana
    Vikas Rana over 5 years
    is it prone to sql injuction if @IsMonday is int ?
  • Weihui Guo
    Weihui Guo almost 4 years
    @VikasRana @IsMonday cannot be int in dynamic SQL. Note that @sql is declared as varchar or nvarchar
  • variable
    variable over 2 years
    Please can you add reason why sp_executesql allows query plan re-use where as exec does not?
  • variable
    variable over 2 years
    Please can you add reason why sp_executesql allows query plan re-use where as exec does not?

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

SQL Server: issue with declaring variable in dynamic SQL
SQL Server dynamic queries
Dynamic pivot table with multiple columns in sql server
T-SQL dynamic pivot
Converting image files to VARBINARY(max) in flutter
Creating Flutter Web Server that connects to an SQL server
How to connect Flutter app to SQL Server to send queries
TSQL Add two Numbers
Split and count the values merged with delimiters
How to UPDATE TOP 400?