DYNAMIC SQL SQL Compatibility | MySQL, PostgreSQL, SQL Server, Oracle, SQLite

Constructing and executing a SQL statement as a string at runtime, allowing the query structure to vary based on input.

Pre-compiled SQL templates that can be executed with different parameter values, improving performance for repeated queries and preventing SQL injection. Parameters are bound rather than concatenated, separating code from data.

Compatibility

SQL DYNAMIC SQL Compatibility Across Databases
Database System	Support Status	Since Version	Notes
MySQL	Native	5.0	PREPARE/EXECUTE/DEALLOCATE PREPARE syntax works inside stored routines and at the session level. Parameterized via USING.
PostgreSQL	Native	7.4	EXECUTE inside PL/pgSQL runs dynamic SQL. USING clause passes parameters safely. format() with %I/%L helps prevent injection.
SQL Server	Native	2005	sp_executesql is preferred over EXEC(@sql) because it supports parameterization and plan reuse. Always use sp_executesql for user-supplied values.
Oracle	Native	8i	EXECUTE IMMEDIATE is the standard PL/SQL mechanism. DBMS_SQL package provides a lower-level cursor API for cases where column count is unknown at compile time.
SQLite	Not Supported	-	No server-side dynamic SQL. The application layer must construct and submit statements via the sqlite3 C API or a driver.

Details

Dynamic SQL is a necessary evil for cases like pivot columns, table-name parameters, or optional filter clauses. The biggest portability concern is SQL injection: always use parameterized queries (USING / sp_executesql parameters / EXECUTE IMMEDIATE USING) rather than string concatenation with user input. PostgreSQL's format() function with %I (identifier quoting) and %L (literal quoting) is particularly ergonomic. SQL Server's sp_executesql additionally enables plan caching since the parameterized template is stable across calls. Oracle's DBMS_SQL package is needed when the number or types of output columns are unknown at compile time — otherwise EXECUTE IMMEDIATE is simpler. MySQL's PREPARE/EXECUTE works at the session level without a stored procedure, which is unique among these engines.

Standard Syntax

-- SQL Server / T-SQL EXEC sp_executesql N'SELECT * FROM ' + @tbl;

Version Support

MySQL: Native since 5.0 PostgreSQL: Native since 7.4 SQL Server: Native since 2005 Oracle: Native since 8i SQLite: Not supported

Per-Database Syntax & Notes

MySQL Native syntax

PREPARE/EXECUTE/DEALLOCATE PREPARE syntax works inside stored routines and at the session level. Parameterized via USING.

SET @sql = CONCAT('SELECT * FROM ', tbl_name); PREPARE stmt FROM @sql; EXECUTE stmt USING @param; DEALLOCATE PREPARE stmt;

PostgreSQL Native syntax

EXECUTE inside PL/pgSQL runs dynamic SQL. USING clause passes parameters safely. format() with %I/%L helps prevent injection.

DO $$ DECLARE sql TEXT; BEGIN sql := format('SELECT * FROM %I WHERE id = %L', tbl, val); EXECUTE sql; END; $$;

SQL Server Native syntax

sp_executesql is preferred over EXEC(@sql) because it supports parameterization and plan reuse. Always use sp_executesql for user-supplied values.

DECLARE @sql NVARCHAR(MAX) = N'SELECT * FROM dbo.Orders WHERE id = @id'; EXEC sp_executesql @sql, N'@id INT', @id = 42;

Oracle Native syntax

EXECUTE IMMEDIATE is the standard PL/SQL mechanism. DBMS_SQL package provides a lower-level cursor API for cases where column count is unknown at compile time.

DECLARE sql_str VARCHAR2(200); BEGIN sql_str := 'UPDATE orders SET status = :1 WHERE id = :2'; EXECUTE IMMEDIATE sql_str USING 'closed', 99; END;