Msg 137, Level 15, State 1, Procedure sp_CallStatement, Line 8
Must declare the scalar variable "@sql".
As the error message says: you don't declare
@sql
so it doesn't know what to do with it.
Msg 102, Level 15, State 1, Procedure sp_CallStatement, Line 11
Incorrect syntax near 'PREPARE'.
PREPARE is not an SQL keyword: it doesn't know what you mean:
Reserved Keywords (Transact-SQL) | Microsoft Docs[
^]
Prepare is a PHP construct, not SQL. Which leaves your SP wide open to SQL injection all over again...