why it's not parameterized query?
the sort column is passed in a right way:
Code:
cmd.Parameters.Add("@OrderByColumn", SqlDbType.NVarChar).Value = orderByColumn;
cmd.Parameters.Add("@OrderDirection", SqlDbType.Int).Value = orderDirection;
and it's safe regarding sql injects. Isn't it?