The field names are available here. @SingleNegationElimination suggested making one, but it already exists:
SELECT name FROM PRAGMA_TABLE_INFO('your_table');
cid | name | type |...
Check if a certain column exists by querying:
SELECT 1 FROM PRAGMA_TABLE_INFO('your_table') WHERE name='column1';
So one could pull this into a list and verify each field is in the list. This seems bulletproof for preventing sql injections.