It is a SQL injection vulnerability only if the dynamic parts of the query aren't checked before being used. If the code ensures that neither "name" nor "subName" contains anything that upsets the SQL statement, then there is no vulnerability.
Tim Moores wrote:
Prepared statements do not work in this case, as Abhishek already mentioned.
Well, they do, but it takes a little more work.
You build up the queryand then assign the parameters in a loop, exactly how depends on where the search criteria is coming from, but a List of Field Name/Search Value is one.
That's how a lot of search queries work, where you don't know exactly what fields are going to be queried on.