I am one of the developers who works from the basis that Dynamic SQL is "bad". Having said that, it is not gospel, simply a starting point. If there are alternatives, I feel that they should be used, however, often it is the only viable approach, in which case it is done as a conscious decision and appropriate precaustions can be taken. I am working with an application at present where, while I can read the data, I am not able to add any objects to the database itself, and I require input from the user. I agree with Stephen's point, that purely internal mitigates much of the risk. I still work on the assumption that there is some risk and therefore validate the user input.

A good article, IMO, which places the context of the code at the forefront and identifies the decisions made within the context.