No harm, no foul.  The comment was not really directed at anyone, I just wanted to introduce the concept of using stored procedures to short circuit injection attacks.

IMHO there is never a good reason to use dynamic sql, either as a command or wrapped in a stored procedure.  Just create as many stored procedures as you need to handle the different scenarios, and call them appropriately. 

Whenever I bring this approach up, development time up front seems to be the biggest pushback.  But using this approach not only provides the security and performance benefits you mentioned, but also abstracts the internals of the db layer from the application/business layer.  It also makes modifying application code as easy as calling a new sproc, instead of the nightmare of trying to maintain 300 lines of stored procedure code.