Yes, absolutely yes.
As you have it, it's a security risk (SQL injection) and subject to poor plan caching and reuse.
Gail Shaw
Microsoft Certified Master: SQL Server, MVP, M.Sc (Comp Sci)
SQL In The Wild: Discussions on DB performance with occasional diversions into recoverability