You do not need to know the column names. If you pull information from an open source, like a querystring, and directly insert it into your sql statement, like below, they can add bad stuff to it... like below:
strRequest = Request.QueryString("query")
strSQL = "SELECT column FROM table WHERE column2='" & strRequest & "'"
'This is why it is bad below:
strRequest = "stories from';DROP...;"
'Imaging with me, when they insert this and get it right, they deleted your entire table and all your data. Names are not as hard to guess as most would think.
'Try running the code to remove certain words like "drop" ";" "alter" "create" etc, if you have to pull from a querystring.
If you are interested in reading a good piece on SQL Injection that tells you how to hack into sites that don't protect themselves against such attacks and (what is more important) how to protect your site against such attacts, let me share a URL with you:
This article is easy to read. It takes you on a step by step journey through the hacker's thought process and how he can succeed in creating havoc. It also tells you what you can do to defend you site against such attacks.