My comment "dynamic SQL isn't a good idea" is directly related to injection attacks, as you state.
What I like about this solution is that everything (client side with a strong dataset, and this procedure on the server side) is "strongly typed" and isn't alot of string concatentation.
Client side, I would write something like
ParameterDS ds = new ParameterDS();
ds.ScalerRow srow = ds.NewScalarRow();
srow.FromDate = DateTime.Now;
srom.ToDate = DateTime.Now;
ds.Scalar.AddScalarRow(srow);
something like that.
So I get strong typing.
It's not the only way to skin a cat, but it's my preferred and still serves me well after 12 or so years.
Thanks for the feedback.