All of the posted code is vulnerable to SQL injection. Please, please, for the third or fourth time, read up on SQL injection and don't use dynamic SQL until you have done so and understand how and why it's such a risk.

You've got sp_execute SQL with parameters being passed to it, but those parameters are never used anywhere in the dynamic SQL and hence give you no protection at all. Passing parameters is not the key. Using only parameters is the key

Additionally, you have been referred, more than once, to my blog post on how to do catch-all queries safely with no injection risk.