VB.net - OleDB - How to use parametrized table names in a SQL Command?

[BitFlipper88]

Hi,

I was quite displeased to learn that I can't parameterize tablenames/fieldnames in an OledbCommand....

Code:

        Dim CMDStr As String = "SELECT CustomerID FROM ?;"   'OleDB use a question mark as the placeholder? 
        Dim CMD As New OleDbCommand(CMDStr, vConnection)
        CMD.Parameters.AddWithValue("@Tablename", Tablename)
        Return CMD.ExecuteScalar 'fail...............

Use parametrized queries they say! SQL injection you will fall victim to, they say!

I suppose that leaves string concatenation as my only option to solve this problem? If that is true, any tips on validating user input? Any libraries/tools built-in to .NET that help with this, or is it as simple as using a white/black list to check for bad expressions / keywords?

For context: Scope of the application is not of huge security concern, but I always like to be secure!


Thanks for any tips.