You cannot directly parameterize the table name. You can do it indirectly via sp_ExecuteSQL
, but you might just as well build the (parameterized) TSQL in C# (concatenating the table-name but not the other values) and send it down as a command. You get the same security model (i.e. you need explicit SELECT etc, and assuming it isn’t signed etc).
Also – be sure to white-list the table name.