Honestly, I would strongly recommend you don't go that route. It's going to be messy, a pain to code and maintain and a huge security risk.
The only way to do that is dynamic SQL. Be sure to read up on SQL Injection first.
Gail Shaw
Microsoft Certified Master: SQL Server, MVP, M.Sc (Comp Sci)
SQL In The Wild: Discussions on DB performance with occasional diversions into recoverability