Handling Dynamic Query Requirements

Real-world applications often require dynamic queries where table names, column names, or query structure varies. Parameterized queries only protect data values, not SQL identifiers, requiring additional strategies:

// C# implementation with dynamic but safe queries
public class SafeDynamicQuery
{
    private readonly HashSet<string> _allowedTables = new HashSet<string> 
    { 
        "users", "products", "orders" 
    };
    
    private readonly Dictionary<string, string> _allowedColumns = new Dictionary<string, string>
    {
        {"name", "user_name"},
        {"email", "user_email"},
        {"date", "created_at"}
    };
    
    public DataTable ExecuteDynamicQuery(string tableName, string sortColumn, string filterValue)
    {
        // Validate table name against whitelist
        if (!_allowedTables.Contains(tableName))
            throw new ArgumentException("Invalid table name");
        
        // Map user-provided column to actual column name
        if (!_allowedColumns.TryGetValue(sortColumn, out string actualColumn))
            throw new ArgumentException("Invalid sort column");
        
        // Build query with validated identifiers and parameterized values
        string query = $"SELECT * FROM {tableName} WHERE status = @status ORDER BY {actualColumn}";
        
        using (SqlCommand cmd = new SqlCommand(query, connection))
        {
            cmd.Parameters.AddWithValue("@status", filterValue);
            // Execute safely
        }
    }
}