I’ve developed a stored procedure that utilizes Dynamic SQL to search for specific entities (this is a procedure for catch all logic).Is this procedure prone to SQL injection and how do I get the final query that is being executed sp_executesql i.e after the values are substituted? Here when I use print @sql it just gives me the query with parameter names but not the actual values. Thanks for your time!