I am using commandname and commandargument to control sorting (field and direction). How secure

Question

0

Asked: May 23, 20262026-05-23T19:11:02+00:00 2026-05-23T19:11:02+00:00

I am using commandname and commandargument to control sorting (field and direction). How secure

0

I am using commandname and commandargument to control sorting (field and direction). How secure is the viewstate from SQL injection.

Report

Leave an answer
Cancel reply

You must login to add an answer.

Need An Account,

1 Answer

Editorial Team · Answer 1 · 2026-05-23T19:11:03+00:00

If you are passing values from the ViewState into concatenated SQL, then yes. However, if you’re using Bind Parameters (you are, aren’t you?) then you don’t have to worry about it.

Bad:

string sql = "select * from product where name = ' + ProductNameTextBox.Text + '"

Good:

string sql = "select * from product where name = @name"

using(var command = new SqlCommand(sql, connection))
{

   SqlParameter param = new SqlServerParameter("@name", SqlDbType.VarChar, 50);
   param.Value = ProductNameTextBox.Text;

   command.Parameters.Add(param);

   command.ExecuteNonQuery();
}

Sign Up

Sign In

Forgot Password

The Archive Base Latest Questions

I am using commandname and commandargument to control sorting (field and direction). How secure

Leave an answerCancel reply

1 Answer

Leave an answer
Cancel reply