Use Stored procedures, avoid open queries and still necessary use SP_EXECUTESQL for open queries.

Constrain Input. You should validate all input to your ASP.NET applications for type, length, format, and range. ... Use Parameters with Stored Procedures. Using stored procedures does not necessarily prevent SQL injection. ... Use Parameters with Dynamic SQL.

use stored procedure and instead of passing control value pass by parameter for ex, instead of textbox.Text pass @parameter

We use stored procedure for avoiding sql injection attack.