getoffmyfoot (10/5/2010)
dynamic sql is also more susceptible to sql injection. you might find it cleaner to have 2 queries with different formatted where clauses and an if statement that chooses which sql statement to run.
If correctly done, dynamic SQL is not susceptible to SQL injection.
You just have to make sure the code is correctly parameterized, and that input from the application is not used directly to build SQL statements.