Code Analysis

BP013

Page last updated 05 February 2021

EXECUTE('SQL script') is used

EXECUTE('SQL script') is being used to execute a SQL batch in a string.

Avoid using EXEC to run dynamic SQL. EXEC is retained for backward compatibility and can be used for SQL injection. Use sp_executesql instead: it allows parameter substitutions for both inputs and outputs and also because the execution plan that sp_executesql produces is more likely to be reused.

Available in

SQL Monitor

SQL Prompt

SQL Code Guard

This documentation contains proprietary information and is protected by copyright law.
Copyright © 2026 Red Gate Software Limited. All rights reserved

Didn't find what you were looking for?

Visit the Redgate forum
Contact Support

Product Articles

Tips and how-to guides for Redgate products

University

Easy to follow video courses

Community Forums

Ask, discuss, and solve questions about Redgate's tools

Events & Friends

Meet us at an event, get sponsored, and join our Friends of Redgate

Simple Talk

In-depth articles and opinion from Redgate's technical journal