Another take on the problem is to internally use pre-computed table names and column names but setup a structure to display the aliases to table/column names as specified by user, which would actually be stored in a table. As these user defined aliases are ever used for display only, it prevents SQL injection problem. However there is some overhead initially setting up this structure.