As you have it currently configured, you're right not to trust it. You're completely open to SQL Injection. For a good laugh, and a good education, see to Bobby Tables[/url]. As you're using it, you're begging for trouble. sp_executesql does support parameters, but, you won't be able to just pass it table names like that. If you really want to do that (and I'm convinced it's a poor choice), you need to first do some type of check against the parameter values to ensure that what is passed is actually a real table name. Check in sys.objects or something. Just don't leave it raw like that.