As a programmer heavily involved in database development, I normally avoid dynamic SQL within any code, but I've used plenty of it within stored procedures, which seem to give you the best of both worlds.

Of course, the actual sin of dynamic SQL is passing in un-verified text from the end user into the generated statement(s), as that's where injection occurs. If you simply generate the SQL within the stored proc, (or wherever), based on a few options passed by the user, then all they can do is pick from a limited set of SQL statements that you've already made sure aren't going to break the system.

The only thing I'd say that's "BAD, BAD, BAD" is discounting any option or technique available, so that's why I agree with the article's basic sentiments.

Paul