@rvk: Even better, I'll experiment with that some more. It would mean that the end-user won't have to bother about field and table names allowed or not allowed, that's something for programmers not for end-users.
@mangakissa: I discovered that too, so I choose the 'easy road' by using full SQL strings in those places.