I am looking to build an internal tool that allows the generation of data in a database from a GUI, of course with a parameterised query if the tables and columns are known beforehand, this is no problem, however, in this instance the table names and column names are provided by the user.
My question is, how insecure is it to dynamically generate the insert statements from the developers input?
INSERT INTO "{table}" ({column_1}, {column_2}, ...)
VALUES (@v1, @v2, ...);
Is it safe to execute the above in a prepared statement, if and only if the {table} and {column_x} are sanitised to only allow ASCII characters that are lowercase, uppercase or underscores?
The values are added as per prepared statement, so are safe.
As a prerequisite the app requires authentication and authorisation, and requires the database user details to be supplied before execution, but lets say a malicious user had all of this information, is it possible to do any kind of injection on the above INSERT statement?