parameterizing the query
Would that alone do it? Because if so, I have nothing to be concerned about. There are also other indirect safeguards in my design. Primarily is that I never use the dbo schema anymore, though it still exists in older designs. This prevents simply using a table name. The tables also have FK constraints. These would prohibit them simply being truncated per your example, although I know there are other possible bad requests.