SQL injection .NET

The pentesters told use that the following code is vulnerable to SQL injection in our e-store:

create procedure dbo.uspBeAfraidBeVeryAfraid ( @p1 varchar(64) )
AS
SET NOCOUNT ON
declare @sql varchar(512)
set @sql = 'select * from ' + @p1
exec(@sql)
GO


How I should fix the issue?