exec vs sp executesql in sql server

preview_player
Показать описание
Text version of the video

Healthy diet is very important both for the body and mind. If you like Aarvi Kitchen recipes, please support by sharing, subscribing and liking our YouTube channel. Hope you can help.

Slides

Dot Net & SQL Server Tutorials

In this video we will discuss the difference between exec and sp_executesql.

In SQL Servere we have 2 options to execute dynamic sql
1. Exec/Execute
2. sp_executesql

We discussed sp_executesql in detail in Part 138 of SQL Server tutorial. Please check out that video if you are new to sp_executesql.

If you do a quick search on the internet for the difference between exec and sp_executesql, you will see that many articles on the web states using exec over sp_executesql will have the following 2 problems
1. It open doors for sql injection attacks
2. Cached query plans may not be reused and leads to poor performance

This is generally true, but if you use QUOTENAME() function you can avoid sql injection attacks and with sql server auto-parameterisation capability the cached query plans can be reused so performance is also not an issue. Let's understand these with examples.

What is exec() in SQL Server
Exec() or Execute() function is used to execute dynamic sql and has only one parameter i.e the dynamic sql statement you want to execute.

As you can see in the example below, we are concatenating strings to build dynamic sql statements which open doors for sql injection.

Declare @FN nvarchar(50)
Set @FN = 'John'
Declare @sql nvarchar(max)
Set @sql = 'Select * from Employees where FirstName = ''' + @FN + ''''

If we set @FN parameter to something like below, it drops SalesDB database

Declare @FN nvarchar(50)
Set @FN = ''' Drop Database SalesDB --'''
Declare @sql nvarchar(max)
Set @sql = 'Select * from Employees where FirstName = ''' + @FN + ''''

However, we can prevent SQL injection using the QUOTENAME() function as shown below.

Declare @FN nvarchar(50)
Set @FN = ''' Drop Database SalesDB --'''
Declare @sql nvarchar(max)
--Print @sql

Notice with the quotename function we are using a single quote as a delimiter. With the use of this function if there is a single quote in the user input it is doubled.

For example, if we set @FN='John', notice the string 'John' is wrapped in single quotes

Declare @FN nvarchar(50)
Set @FN = 'John'
Declare @sql nvarchar(max)
Print @sql

When the above query is executed the following is the query printed
Select * from Employees where FirstName = 'John'

Along the same lines, if we try to inject sql, QUOTENAME() function wraps all that input in another pair of single quotes treating it as a value for the FirstName column and prevents SQL injection.

With sql server auto-parameterisation capability the cached query plans can be reused. SQL Server can detect parameter values and create parameterised queries on its own, even if you don't explicitly declare them. However, there are exceptions to this. Auto-parameterisation comes in 2 flavours - Simple and Forced. We will discuss auto-parameterisation in detail in a later video.

Execute the following DBCC command to remove all entries from the plan cache
DBCC FREEPROCCACHE

Execute the following query. Notice we have set @FN='Mary'
Declare @FN nvarchar(50)
Set @FN = 'Mary'
Declare @sql nvarchar(max)

Execute the following query to retrieve what we have in the query plan cache

Notice we have an auto-parameterised query and at the moment usecounts is 1.

Now change @FN='Mark' and execute the same query. After the query is completed, retrieve the entries from the plan cache. Notice the usecounts for the auto-parameterised query is 2, suggesting that the same query plan is reused.

Summary
1. If you use QUOTENAME() function, you can prevent sql injection while using Exec()
2. Cached query plan reusability is also not an issue while using Exec(), as SQL server automatically parameterize queries.
3. I personally prefer using sp_executesql over exec() as we can explicitly parameterise queries instead of relying on sql server auto-parameterisation feature or QUOTENAME() function. I use Exec() only in throw away scripts rather than in production code.
Рекомендации по теме
Комментарии
Автор

Is it necessary to wrap @fn with single quotes when concatenating the strings? Minute (2:19)
Thank You!

abdullahmohammad
Автор

Please don't forget to hit the like button if you like it.

raqibul
Автор

Sir..i have a doubt..is power bi and data analyst jobs are different???

srividya
Автор

Can you please record some videos of mvvm architecture with wpf or mvc

SukantaSharma
Автор

Hi sir please record some videos for salesforce developers

avadheshkushvaha
Автор

EXEC() will work more then one declare variable value please check again

Set @FN = 'HMC Building #2'
set @fcy_id = 15
Declare @sql nvarchar(max)
--print @sql

jaik
Автор

I love your videos, but there was no logic given that helped me understand why not to use Exec. In fact, you just proved the opposite. If you use Quotename then you pretty much negate all the drawbacks of using Exec. I already have code developed that uses Exec. Putting in Quotename will not be too much trouble. That's why I am wondering, should I go to trouble of making parameterized? I don't see any reason. Thank you. Great work, BTW. Can't thank you enough for this.

KM-szyv