I think the best way is to build a dynamic SQL and add a lookup to see if the column exist and prevent SQL injection in the column name.
declare @strDept nvarchar(10), @strUser nvarchar(30),
@sql nvarchar(300), @found smallint
set @strDept = 'f18'
set @strUser = 'Ted Lee'
set @found = (SELECT count(*)
FROM syscolumns
WHERE id=OBJECT_ID('table1') AND name=''+@strDept+'')
set @sql = 'select x, y, z from table1 where ' + @strDept + ' in ('''+@strUser+''')'
if @found = 1 exec (@sql)
SQL injection testing : See SQL FIDDLE : http://www.sqlfiddle.com/#!6/df3f6/18/0
