Use:

用：

BEGIN

  EXEC sp_executesql @nvarchar_parameter

END

...assuming the parameter is an entire SQL query. If not:

...假设参数是一个完整的 SQL 查询。如果不：

DECLARE @SQL NVARCHAR(4000)
SET @SQL = 'SELECT ...' + @nvarchar_parameter

BEGIN

  EXEC sp_executesql @SQL

END

Be aware of SQL Injection attacks, and I highly recommend reading The curse and blessing of Dynamic SQL.

注意SQL 注入攻击，我强烈推荐阅读动态 SQL 的诅咒和祝福。

you can just exec @sqlStatement from within your sp. Though, its not the best thing to do because it opens you up to sql injection. You can see an example here

你可以在你的 sp 中执行 @sqlStatement。不过，这不是最好的做法，因为它会让您接受 sql 注入。你可以在这里看到一个例子

You use EXECUTEpassing it the command as a string. Note this could open your system up to serious vulnerabilities given that it is difficult to verify the non-maliciousness of the SQL statements you are blindly executing.

您使用EXECUTE将命令作为字符串传递给它。请注意，鉴于很难验证您盲目执行的 SQL 语句的非恶意性，这可能会使您的系统面临严重漏洞。

How do I execute the supplied sql command from within the SP?

如何从 SP 中执行提供的 sql 命令？

Very carefully. That code could do anything, including add or delete records, or even whole tables or databases.

非常小心。该代码可以做任何事情，包括添加或删除记录，甚至整个表或数据库。

To be safe about this, you need to create a separate user account that only has dbreader permissions on just a small set of allowed tables/views and use the EXECUTE AScommand to limit the context to that user.

为了安全起见，您需要创建一个单独的用户帐户，该帐户仅对一小组允许的表/视图具有 dbreader 权限，并使用EXECUTE AS命令将上下文限制为该用户。