What is the SQL Server method of safe-quoting identifiers for dynamic sql generation.

MySQL has quote_identifier

PostgreSQL has quote_ident

How do I ensure given a dynamically generated column name for a dynamically generated statement that the column itself isn't a SQL-injection attack.

Let's say I have a SQL Statement,

SELECT [$col] FROM table;

which is essentially the same as

'SELECT [' + $col + '] FROM table;'

What stops an injection attack where

$col = "name] FROM sys.objects; \r

DROP TABLE my.accounts; \r

\ --";

Resulting in