You can do it, but you really, really shouldn't: it is extremely dangerous. Do not concatenate strings to build a SQL command. It leaves you wide open to accidental or deliberate SQL Injection attack which can destroy your entire database. Use Parametrized queries instead - except you can't for a table name, because SQL won't let it be a variable.
I wouldn't do it myself (I value my data, and don't want my users destroying it) but if you absolutely must, all you have to do is remove the single quotes:
sql = "select * from [" + table_name + "]";