The dynamic value passed in the SQL query should be validated. Bind variables in prepared statements can be used to easily mitigate the risk of SQL injection.
If the user input is not properly escaped, a malicious user could insert additionnal SQL statement. The statement could change the sementic of the original query. This could be use to circouncent the application logic. It can also be used maliciously to access data from other tables or escalate to the operating system.
db.ExecuteQuery(@"SELECT * FROM dbo.Users
WHERE UserId = " + inputId + " AND group = 5");
var query = from user in db.Users
where user.UserId == inputId
select user;
db.ExecuteQuery(@"SELECT * FROM dbo.Users
WHERE UserId = {0} AND group = 5", inputId);
LINQ: How to Query for Information
WASC-19: SQL Injection
OWASP: Top 10 2013-A1-Injection
OWASP: SQL Injection Prevention Cheat Sheet
OWASP: Query Parameterization Cheat Sheet
CAPEC-66: SQL Injection
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')