You quite rightly say
When placing your Dynamic SQL code into production (typically in stored procedures), be careful about concatenating alphanumeric parameters directly because of SQL injection.
but a few lines previously, you've done exactly that, ending up with a
EXEC (@SQL)
Shouldn't you be recommending the use of sp_executesql from the outset?