You can call this "Dynamic SQL using String Concatenation." It’s not SQL Injection in the malicious sense, but security teams might still flag it.

To avoid concerns:

Check if DB2 allows parameterization differently. Validate and whitelist inputs to prevent risks. Use stored procedures if possible for better security. It’s safe if controlled, but still worth explaining properly to your security team.