[useerup]

Yes. Almost all DBMSs has a way to delimit table/column names (for instance when a name contains spaces or special characters.

However, proper DBMSs expose parameters as 1st class concepts through the API. That has several advantages, some of which:

1) It is more secure, as you will not have to do this dangerous escaping before invoking. Parameters are substituted by the DBMS.

2) The DBMS can better understand the "dynamic" part of a query and cache query plans.