The construct you're looking for is called "dynamic sql". You can use the execute immediate statement to execute an SQL which is a result of a VARCHAR2/CLOB expression; you can even use bind variables with it (look up that statement in Oracle's docs). More complicated things can be handled with DBMS_SQL package.
In your case the line would be
Be careful, though. By stuffing literal values into the SQL commands you can easily expose yourself to SQL injection even within PL/SQL.
For similar things, you could use the DBMS_ASSERT package, that can help to validate a string is a valid identifier, for example. Or when you construct the table name, you could verify that it is an actual table name against USER_TABLES or ALL_TABLES dictionary views.