C#, sqlcommand string

Normally I would say "don't do it" as inserting user input into your queries opens up the SQL injection vulnerability. The correct way would be to use parameterized queries.

Unfortunatly, parameters can only be used for values, but not for table or column names. So to easily replace the table name in your query you could simply do a Replace() like that:

EFTGeneral = EFTGeneral.Replace("[EFT.GER2]", "[" + textBox.Text + "]");

But you should make sure that textBox.Text is a valid table name and not something like "; DROP TABLE Users --". This answer shows how you can validate the table name.

Here is my code and now I can create SQL Table name as I want:

try
            {
               string EFTGeneral = @"CREATE TABLE [EFTGNR] (
                                [TestOrderName]   VARCHAR(20)  NOT NULL,    
                                [Template]        VARCHAR(50)  NULL,
                                [Purpose]         VARCHAR(100) NULL,
                                [Category]        VARCHAR(50)  NULL,
                                [DateCreated]         DATETIME NULL,
                                [CreatedBy]       VARCHAR(30)  NULL,
                                [TestObjectBatch] VARCHAR(20)  NULL,
                                [LoadDirection]   VARCHAR(2)   NULL,
                                [ElementType]     VARCHAR(10)  NULL,
                                [FatigueTestType] VARCHAR(50)  NULL,
                                [LoadAmplitude]            INT NULL,
                                [LoadStatic]      INT NULL,
                                [UntilBreakage]   VARCHAR(5)   NULL,
                                [NumberOfObject]           INT NULL,
                                [Remarks]         VARCHAR(200) NULL,
                                PRIMARY KEY CLUSTERED([TestOrderName] ASC));";
                ////

                SqlConnection conn = new SqlConnection(ConnString);
                conn.Open();
                EFTGeneral = EFTGeneral.Replace("[EFTGNR]", "[" + txtbox_testorder.Text + ".GERNERAL]");
                SqlCommand cmd = new SqlCommand(EFTGeneral, conn);
                cmd.ExecuteNonQuery();
                conn.Close();
            }catch(Exception ex)
            {
                MessageBox.Show(ex.Message);
            }

Use SqlCommand to dynamically build your query avoiding risks of injection:

string EFTGeneral = @"CREATE TABLE [EFT.@tableName] (
                                [TestOrderName]   VARCHAR(20)  NOT NULL,    
                                [Template]        VARCHAR(50)  NULL,
                                [Purpose]         VARCHAR(100) NULL,
                                [Category]        VARCHAR(50)  NULL,
                                [DateCreated]         DATETIME NULL,
                                [CreatedBy]       VARCHAR(30)  NULL,
                                [TestObjectBatch] VARCHAR(20)  NULL,
                                [LoadDirection]   VARCHAR(2)   NULL,
                                [ElementType]     VARCHAR(10)  NULL,
                                [FatigueTestType] VARCHAR(50)  NULL,
                                [LoadAmplitude]            INT NULL,
                                [LoadStatic]      INT NULL,
                                [UntilBreakage]   VARCHAR(5)   NULL,
                                [NumberOfObject]           INT NULL,
                                [Remarks]         VARCHAR(200) NULL,
                                PRIMARY KEY CLUSTERED([TestOrderName] ASC));";

using (SqlConnection connection = new SqlConnection(yourConnectionString))
{
    using (SqlCommand command = new SqlCommand(EFTGeneral, connection))
    {
        SqlParameter tableNameParam = new SqlParameter("tableName", SqlDbType.Varchar);
        tableNameParam.Value = textBox.Text;
        command.Parameters.Add(tableNameParam);
        command.ExecuteNonQuery();
    }
}