I recently added some features to the date search page on this site. I had already had some filtering in there for dates and some more for filtering by categories. Today I added sorting. Normally I don't think why I take the approach I do. In most cases it is just experience and remembering that I had read about it before. 

In this case I wanted to note that I was sorting the data via a query parameter. I am using LINQ and it just needs to know what column and which sort order. I didn't want to put the actual text from the query string in though because even though it's LINQ it resembles SQL enough that my brain immediately thought of SQL injection. I don't know if LINQ can be affected by that but what if the user entered invalid text? The function would fail and the page would be unusable. 

My solution is in the image below. I had considered using javascript to sort the items and it might have worked well. Unfortunately I am lazy and sorting via LINQ was so quick. I also browse the web with javascript disabled and I want the site to be as functional with the bare minimum as I can. 

The reason I like this is that there are only 2 options and the user can choose between them without actually directly setting the variables. It's a super simple thing but making sure user inputs are sanitized are important. We all know about little bobby tables. I will grant that this might not be a database function but for all I know somehow it could be exploited to get other access to the server or any number of bad things.