Continued:- can not use SqlAdapter ot DataSet or anything - just SqlCommand

You may refer to this post of mine

SQL going nuts! does not accept parameters,?

Simply put I don't have a choice I have to take input of which table the user wants and what the user wants from that table.

Please 开发者_Go百科suggest a secure way to achieve this, within the limitations of the code

Thank you.

Why don't you just define the what each user can do by means of application roles in your SQL Server database - then you just try to select something, and if that user doesn't have the necessary rights, you'll get an exception that you can handle.

Seems the easiest rather than building your own elaborate security system - there are always potential flaws and gaping holes in those "I'll roll my own" schemes.......