.net viewstate safe from SQL injection?

I am using commandname and commandargument to control sorting 开发者_JAVA技巧(field and direction). How secure is the viewstate from SQL injection.

SQL injection is where user-entered values are put directly into queries, allowing malicious users to access or damage your database by taking advantage of your security loopholes. For example, you have a textbox to search, and the value they enter goes inside the actual query.

Unless your command argument is dynamically entered by the user then SQL injection wouldn't be a threat.

If you are using raw SQL, then you are likely using DataTable objects, right? If you are using a DataTable, then you can sort that data after it's pulled from the database using a DataView and bind your control to the DataView. That way, you're not giving user submitted data access to your SQL. So, in your code you'd do something like this:

DataTable dt = GetData(); // pull data from DB with no sort specified
DataView view = dt.DefaultView;  // Get a DataView so you can sort
view.Sort = "Col1, Col2 DESC"; // assemble sort string from your command args
MyControl.DataSource = view;
MyControl.DataBind();

If you are passing values from the ViewState into concatenated SQL, then yes. However, if you're using Bind Parameters (you are, aren't you?) then you don't have to worry about it.

Bad:

string sql = "select * from product where name = ' + ProductNameTextBox.Text + '"

Good:

string sql = "select * from product where name = @name"

using(var command = new SqlCommand(sql, connection))
{

   SqlParameter param = new SqlServerParameter("@name", SqlDbType.VarChar, 50);
   param.Value = ProductNameTextBox.Text;

   command.Parameters.Add(param);

   command.ExecuteNonQuery();
}

It depends whether "put directly into a SQL Query" means they are parameters of a parameterized Query or as literals... if as literals then the answer is NO.