Hi Julian, I was trying to focus more on the basic principals of how sql statements are created dynamically.
But you make a very good point, I should probably have nudged the readers towards using sp_executesql from the start.

For those of you reading this, here is a link to what Julian is referring to:
https://blogs.msdn.microsoft.com/turgays/2013/09/17/exec-vs-sp_executesql/