21 April 2011

Difference between sp_executesql and EXEC() in Sql Server

Difference between sp_executesql and EXEC() in Sql Server


EXEC() - whose first parameter is a parameterized SQL statement.
sp_executesql - The second parameter is a parameter-list declaration, similar to the parameter
list present in the declaration of a stored procedure.

If the malicious user enters a value as Sql Injection EXEC() execute the maliculous code
but sp_executesql It will search for the value ' or '1'='1 as product name in the database.
Thus preventing SQL Injection attacks.

No comments:

Post a Comment

Comments Welcome