You may refer to this post of mine
http://stackoverflow.com/questions/3092121/sql-going-nuts-does-not-accept-parameters
Simply put I don't have a choice I have to take input of which table the user wants and what the user wants from that table.
Please suggest a secure way to achieve this, within the limitations of the code
Thank you.
Why don't you just define the what each user can do by means of application roles in your SQL Server database - then you just try to select something, and if that user doesn't have the necessary rights, you'll get an exception that you can handle.
Seems the easiest rather than building your own elaborate security system - there are always potential flaws and gaping holes in those "I'll roll my own" schemes.......