Using Static and Dynamic Statements
New Information - SQL Server 2000 SP3.
Embedded SQL for C (ESQL/C) supports both static and dynamic SQL statements.
A static SQL statement is a complete Transact-SQL statement that is embedded in the program source code. Static SQL statements can be placed into stored procedures and can contain host variables.
With dynamic SQL statements, knowing the complete structure of an SQL statement before building the application is not necessary. Dynamic SQL statements allow run-time input to provide information about the database objects to query.
A dynamic SQL statement is an incomplete Transact-SQL statement, some or all of which is supplied at run time.
Security Note Validate all user input. Do not concatenate user input before validating it. Never execute a command constructed from unvalidated user input. For more information, see Validating User Input.
Dynamic SQL statements created by using the PREPARE and EXECUTE statements can contain parameter markers and host variables. Parameter markers are question marks (?) that act as placeholders for information supplied at run time. Dynamic SQL statements executed by using the EXECUTE IMMEDIATE statement must conform to Transact-SQL language rules. They cannot contain parameter markers, host variables, or keywords that pertain exclusively to ESQL/C.