Dynamic SQL on its own it not secure. This adds confusion to the mix as well. Might i suggest you reconsider and use static SQL.

Passing IN clauses with an known number of arguments is easy. It's the unknown that is hard, and each RDBMS has a different solution. Mostly, it requires a recursive CTE that will separate a passed string into its individual elements. You can search for the solution with stored procedures (for your RDBMS), which deal with a similar issue and have a plethora of answers.