That's very open to injection as well, you should be using QUOTENAME, not wrapping the object names with brackets ([]); the latter can easily be got around. I'd recommend using sysname as your parameter type as well. An object's name can contain any character, and have up to 128 characters, and sysname is a synonym for nvarchar(128). Although it would likely be "foolish" to call your table something like "My long table name! [For individual customers] {no company names allowed} ... /*More characters up to to make the name ever longer?!*/" it could very well exist.