declare @sql NVARCHAR(MAX);
declare @tableName NVARCHAR(128);
set @tableName='xxxx';
SET @sql = N'select * from ' + QUOTENAME(@tableName)
EXECUTE sp_executesql @sql
Use QUOTENAME()
Function when concertinaing passed variables from users to your dynamic sql. It protects you against possible sql injection attack.