actually that is a valid vulnerability if it wasn't in test code but the correct fix would be to enclose the table name in "" with escaping