SQL Dynamic SQL Help: Msg 203, Level 16, State 2, Line 37

Question

building a dynamic SQL and getting a error. No idea why keeps erroring:

DECLARE @Query AS NVARCHAR(MAX) = 'SELECT ' + @Rune + ' FROM [White_Box_Gaming].[dbo].[Inventory_Runes] WHERE Email = ''' + @tiedtlaw email + ''''

Also tried:

DECLARE @Query AS NVARCHAR(MAX) = 'SELECT ' + @Rune + ' FROM [White_Box_Gaming].[dbo].[Inventory_Runes] WHERE Email = ''' + @Email + ''  

Msg 203, Level 16, State 2, Line 37
The name 'SELECT Rune_ri FROM [White_Box_Gaming].[dbo].[Inventory_Runes] WHERE Email = 'uokgames@Stuff .com' is not a valid identifier.

Soo annoying.

Answer 1

SOLVED:

DECLARE @Result_1 TABLE (ss BIGINT)
DECLARE @Query AS NVARCHAR(MAX) = 'SELECT ' + @Rune + ' FROM [White_Box_Gaming].[dbo].[Inventory_Runes] WHERE Email = ''' + @tiedtlaw email + ''''
INSERT INTO @Result_1 EXEC sp_executesql @Query

Answer 2

This is a better solution:

DECLARE @Result_1 TABLE (ss BIGINT)
DECLARE @Query AS NVARCHAR(MAX) = 
   'SELECT ' + @Rune + ' FROM [White_Box_Gaming].[dbo].[Inventory_Runes] WHERE Email = @Email'
INSERT INTO @Result_1 EXEC sp_executesql @Query, N'@Email nvarchar(50)', @Email

You should never inline parameter values into queries. It is better from all aspects to use parameterised statements.

I don't know what is in this @Rune, but may be possible to deal with it in a similar way.