Better yet. Don't use dynamic SQL. Then there is no need for injection testing.