BP013
Published 16 N 2017
EXECUTE('SQL script') is used
EXECUTE('SQL script') is being used to execute a SQL batch in a string.
Avoid using EXEC to run dynamic SQL. EXEC is retained for backward compatibility and can be used for SQL injection. Use sp_executesql instead: it allows parameter substitutions for both inputs and outputs and also because the execution plan that sp_executesql produces is more likely to be reused.