For more information on SQL Injection, my recommendation would be to Google it. It's a large subject and contains way too much information for me to post on a thread.
The bottom line is that if you concatenate any character based parameters using Dynamic SQL, your code is subject to SQL Injection. That also includes any front-end code. In order to prevent such injection, the code must be properly parameterized. In SQL Server, such parameterization can be done using sp_ExecuteSQL.
Probably the best example on the internet of how to use that for "catch-all" queries may be found at the following link.
http://sqlinthewild.co.za/index.php/2009/03/19/catch-all-queries/
Probably the world's most famous and extremely pertinent cartoon on the subject of SQL Injectio can be found at the following URL...
SQL Injection is still the world's biggest problem for hack-attacks. Don't take it lightly.
--Jeff Moden
Change is inevitable... Change for the better is not.