Home/ Questions/Q 605479
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-13T17:09:00+00:00

I have a stored procedure that receives a string parameter OrderByColumn and builds dynamic

  • 0

I have a stored procedure that receives a string parameter “OrderByColumn” and builds dynamic query accordingly.
This is the part of my stored procedure code:

ROW_NUMBER() OVER (ORDER BY 
  CASE WHEN @OrderByColumn='Date' AND @OrderDirection=0 THEN tbl_Docs.Date END ASC,
  CASE WHEN @OrderByColumn='Count' AND @OrderDirection=0 THEN tbl_Docs.Count END ASC,

And in my code behind function that calls the stores procedure I have: 

cmd.Parameters.Add("@OrderByColumn", SqlDbType.NVarChar).Value = orderByColumn;
cmd.Parameters.Add("@OrderDirection", SqlDbType.Int).Value = orderDirection;

The user sets the OrderByColumn parameter by clicking on the gridviews column header, so there is no direct user input, so as I see there is no option to inject any thing…

In the book they also validate the orderByColumn string, I don’t understand why it’s needed because as I’ve noted the user can’t input direct expression.

My question is:

is it safe?

I’ve also read in some book that ORDER BY clause doesn’t support the use of parameters.
What does it mean?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    This seems safe enough to use.

    Im not completely following this section

    I’ve also read in some book that ORDER
    BY clause doesn’t support the use of
    parameters.

    Do you mean the ORDER (ASC/DESC) or column?

    If you are refering to the column, you can achieve this. Something like

    DECLARE @Table TABLE(
        ID INT,
        Val INT
)

INSERT INTO @Table SELECT 1, 3
INSERT INTO @Table SELECT 2, 2
INSERT INTO @Table SELECT 3, 1

DECLARE @FieldNumber INT

SELECT @FieldNumber = 1

SELECT *
FROM    @Table
ORdER BY 
            CASE @FieldNumber 
                WHEN 1 THEN ID
                WHEN 2 THEN Val
            END

SELECT @FieldNumber = 2

SELECT *
FROM    @Table
ORdER BY 
            CASE @FieldNumber 
                WHEN 1 THEN ID
                WHEN 2 THEN Val
            END
    • 0