Dynamic SQL

Exec SQL

DECLARE @by NVARCHAR(64) = 'FullName'
DECLARE @sql NVARCHAR(256) = 'SELECT * FROM Employee ORDER BY ' + @by;
EXEC(@sql);

Stored Procedure sp_executesql

Syntax
sp_executesql @stmt = statement, 
	[@params = N'@parameter_name data_type[out|output]....',] 
	[@param1 = 'value1'];
DECLARE @by = 'FullName';
DECLARE @sql = 'SELECT * FROM Employee Order BY ' + @by;
EXEC sp_executesql @stmt = @sql;

Exec SQL and Quotename

DECLARE @by NVARCHAR(64) = 'FullName'
DECLARE @sql NVARCHAR(256) = 'SELECT * FROM Employee ORDER BY ' + QUOTENAME(@by);
EXEC(@sql);

Stored Procedure sp_executesql and quotename

Syntax
sp_executesql @stmt = statement, 
	[@params = N'@parameter_name data_type[out|output]....',] 
	[@param1 = 'value1'];
DECLARE @by = 'FullName';
DECLARE @sql = 'SELECT * FROM Employee Order BY ' + quotename(@by);
EXEC sp_executesql @stmt = @sql;