We have old project 10-12 years now. It was using SQL2000 which we have now moved to SQL2008.
While this task i found that Stored Procedures were accepting parameters and then constructing the query as a string and then using EXEC to execute the command.
CREATE PROCEDURE MyProc
(@TableName varchar(255),
@FirstName varchar(50),
@LastName varchar(50))
AS
-- Create a variable @SQLStatement
DECLARE @SQLStatement varchar(255)
-- Enter the dynamic SQL statement into the
-- variable @SQLStatement
SELECT @SQLStatement = "SELECT * FROM " +
@TableName + "WHERE FirstName = '"
+ @FirstName + "' AND LastName = '"
+ @LastName + "'"
-- Execute the SQL statement
EXEC(@SQLStatement)
Is this a bad approach. Does this kills benefits of Stored Procedure (pre-compiled query benefit ) ?