Stored procedure EXEC vs sp_executesql difference?

Question

I\'ve written two stored procedure one with sp_executesql and other doesn\'t have sp_executesql both are executing properly same results, I didn\'t get what is

Answer 1

With sp_executesql, you don't have to build your query like that. You could declare it like this:

DECLARE @SQL as nvarchar(128) = 'select ' + @Columns + ' from ' + 
@TableName + ' where Status=@eStatus'

This way if your @Status value came from a user you can use @eStatus and not have to worry about escaping '. sp_executesql gives you the ability to put variables in your query in string form, instead of using concatenation. So you have less to worry about.

The column and table variables are still the same, but that's less likely to be directly from a user.