If the column names come only from your program, and if the search criteria etc. are provided to the query by means of parameters, then this technique is safe.