Press "Enter" to skip to content

Using QUOTENAME() to Secure Dynamic SQL

Andy Brownsword uses the QUOTENAME() function:

I’m a big fan of dynamic SQL in the right conditions. One key to crafting safe dynamic query of the use of the QUOTENAME function.

My personal preference is to use exec sp_executesql for parameterization instead, simply because it’s a lot harder to mess up.