Hi folks, I have a procedure for custom/sorting paging a datagrid on a web page. It uses a sortparameter which (unfortunately) I have to pass in to some dynamic sql and execute using sp_executesql - not ideal, but it works and FAST. However, I have to do an IF.....OR ....(run it) ELSE (don't run sproc) type checking at the start of the sproc against the sortparam that is passed in. This is simply to check that the sortparameter passed in in an expected column name and not sqlinjection. I was just wondering if this is going to cause any performance hit on the query? I'm not sure how to use query analyzer when the sproc uses sp_executesql. It is only a fairly small if or else statement, but was just wondering if this is something to worry about performance-wise?