It is a bad practice to concatenate user input directly into SQL queries. This opens easily exploitable SQL injection vulnerabilities.
A proper way to do it is to wrap table name into Identifier and interpolate it into query using the same mechanism as other inputs. Identifier's ToField instance makes sure that table name is properly quoted/escaped.
It is a bad practice to concatenate user input directly into SQL queries. This opens easily exploitable SQL injection vulnerabilities.
A proper way to do it is to wrap table name into Identifier and interpolate it into query using the same mechanism as other inputs. Identifier's ToField instance makes sure that table name is properly quoted/escaped.