How to prevent Sql-Injection on User-Generated Sql Queries

Question

I have a project (private, ASP.net website, password protected with https) where one of the requirements is that the user be able to enter Sql queries that will directly query t

Answer 1

here is another example

the hacker doesn't need to know the real table name, he/she can run undocumented procs like this

sp_msforeachtable 'print ''?''' 

just instead of print it will be drop