看来您想使用sp_executesql:
Declare @PostalCode varchar(1000)=0
set @PostalCode ='7005036,7004168,7002314,7001188,6998955'
declare @sql nvarchar(4000) //didn't count the chars...
select @sql = N'Select hl.* From CountryLocation cl
INNER JOIN refPostalCodes pc ON pc.PostalCode = hl.PostalCode
where pc.Postalcode in (' + @PostalCode + ') and pc.notDeleted = 1'
exec sp_executesql @sql
以这种方式编码时,您需要 sql注入。