Jul 08, 2014
Indeed, as a developer you should never take any user input and place it verbatim into the 'where' string.
Instead you construct your where clause with ordinal parameters (@0, @1, etc) .
Then pass the actual parameter values into the parameter list of the Paged and other methods.
(this is why there is a separate parameter list in the first place).
Hope this helps.