Chapter 4. Dynamic SQL
Dynamic SQL (code that is executed dynamically), like cursors and temporary tables, is another area of T-SQL that should be used with care and wisdom. It has the potential to be used in an unsafe way and could lead to serious security breaches and code that performs badly and is difficult to maintain. On the other hand, when used wisely, dynamic SQL can help you achieve things that would be difficult to achieve any other way. And there are cases in which it is the only way you can provide good performance. In short, using dynamic SQL requires programmatic maturity.
I’ll discuss some of the potential security breaches involved ...