Constructing elements of the code based on querying the actual data

should appear in the IN clause of the PIVOT operator

  Be extremely careful when concatenating user input as part of your code. Hackers 

can attempt to inject code you did not intend to run. The best measure you can take against 

SQL injection is to avoid concatenating user input as part of your code (for example, by 

using parameters). If you do concatenate user input as part of your code, make sure you 

thoroughly inspect the input and look for SQL injection attempts. You can find an excellent 

article on the subject in SQL Server Books Online under “SQL Injection.”