having an issue with sqLite param queries not working as expected

Question 1

I have figured out a way to include a work around for parametrized column names. I came up with a different way and since I would be the only one using the column names then I believe this is still a safe bet.

            String sqlcomm = "SELECT * FROM Asset WHERE " + assetColName + " = ";
            command.CommandText = sqlcomm + "$assetColValue";

            //command.CommandText = @"SELECT * FROM Asset WHERE $assetColName = '$assetColValue'";
            //command.Parameters.AddWithValue("$assetColName", assetColName);

            command.Parameters.AddWithValue("$assetColValue", assetColValue);

As you can see from the code above. I then concatenated strings together and was able to use my parametrized column name and value which then the value is securely added. The column name however is not secured but this is a method that only I will be using so its still somewhat safe. I could add regular expressions if I want to be more secure but you get the idea of the fix.

Does anyone foresee a problem with this?

Question 2

Generally you can't parameterize column names. Try building the command text with the column name put in as per your commented out line but still with the parameter for the column value.

Question 3

You can always check if column exist using INFORMATION_SCHEMA table.

Usages of INFORMATION_SCHEMA: http://blog.sqlauthority.com/2011/10/02/sql-server-ce-list-of-information_schema-system-tables/

TSQL Example: How to check if a column exists in SQL Server table