How To: Mitigate SQL Injection from Untrusted Table Name