SQLQuery3.SQL.Text:=('UPDATE :TableParam SET :FieldParam =:CompletedParam WHERE ID =:RowParam;');
In SQLite, table and column names cannot be parameterized in this manner, so you'll have to use string construction.
To avoid injection attack, should still verify that TableParam and FieldParam are valid. First, query the table sqlite_master for the table name:
SELECT tbl_name FROM sqlite_master WHERE TYPE = 'table' AND tbl_name = :TableParam
If the query is good, meaning the table named by TableParam exists, then check FieldParam via TableParam's metadata using the pragma table_info(). Pseudo code below, as I don't have any handy Pascal code demonstrating the same:
stmt := db.prepare('pragma table_info(' + TableParam + ')') // String construction ok since we have verified that TableParam is good
stmt.execute()
The output looks something like this:
cid name type notnull dflt_value pk
--- ---------- -------- ------- ---------- --
0 id integer 1 1
1 key varchar 1 0
2 title varchar 1 0
3 country_id integer 0 0
4 club boolean 1 'f' 0
5 created_at datetime 1 0
6 updated_at datetime 1 0
Programmatically, the pragma's output is itself an SQLite 'result set', and your application code then verifies the 'name' and 'type' columns for FieldParam using said output.
After determining that the column FieldParam exists and is of the expected type, then you construct your query string.