Parameters are for values, not for statements (or pieces of statements).
A and Z are values that can be put in a parameter (let's say @value1 and @value2) (and we will ignore the complexity of doing the IN operator using a variable number of parameters... there is an hard limit on the number of parameters in SQL Server, 2100). So for example WHERE param1 IN (@value1, @value2) is perfectly ok...
You can't put the whole WHERE param1 IN (@value1, @value2) in a parameter.
You shouldn't/mustn't let the user write SQL statements or piece of SQL statements (so no SELECT or WHERE written by the user), it is very highly insecure, and I don't think it can really be secured.
Even letting the user fill the name of columns to be selected can be insecure. Always ask yourself: what happens if the user writes, as the column name, for example?
-- DROP TABLE SomeTable --
And even letting the user select the column names from a "closed list" could be insecure, because 9 times out of 10 you won't check if the user manipulated the javascript of the page to write whatever he wants in the combobox/listbox (it is quite easy... press F12 on Chrome and the whole javascript of the page is in your hands).
与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
