Ah... while I agree with being paranoid about the use of dynamic SQL, it should not be something that keeps you from using it when necessary. It's an incredibly powerful tool that can do things not otherwise possible but, as the others have stated, must be made to completely and absolutely prevent SQL Injection attempts.

For the code given in the original post, the content of @TableName should be verified by checking sys.objects to see if the table name actually exists and THAT can certainly be done without dynamic SQL. If the table name doesn't exist, the exit the stored procedure without giving any clue as to what the problem is so that a potential attacker isn't given any clues.