Avoid SQL injection for dynamic column names

string[] yourDynamicColumns = { "Column1", "Column2", "Column3" };

            string queryFormat = "Select {0} From Employee";
            string dynamicQuery = "";
            SqlDataAdapter da = new SqlDataAdapter("select COLUMN_NAME from INFORMATION_SCHEMA.COLUMNS where TABLE_NAME = 'Employee'", con);
            DataTable dtColumns = new DataTable ();
            da.Fill(dtColumns);
            foreach (DataRow row in dtColumns.Rows)
            {
                string columnName = row["COLUMN_NAME"].ToString();
                if (yourDynamicColumns.Contains(columnName))
                    dynamicQuery += columnName + ",";
            }
            dynamicQuery = dynamicQuery.TrimEnd(',');
            string query = string.Format(queryFormat, dynamicQuery);