You now know how to gather user input and format it to build a query dynamically. You're aware of some of the pitfalls in constructing dynamic queries as well as some of the security risks.
Keep your database secure by constructing parameterized queries and executing them through the sp_executeSql stored procedure. You can even use these techniques to accomplish tasks beyond simply returning data to the user.
Chapter 7: Quick Reference