There is no validation that the database table and user field specified are actually good. When you try to
send them to a prepared statement, it quotes them. Any ideas on how to do a better job for this?
Seems like a gaping hole.