Be careful with this property. It may be tempting to put a SQL column name into it like SortExpression="SomeColumnName", and then feed that into your SQL query. Buy, ASP.NET does not check whether the incoming sort expression actually existed in your original code. Instead, if you pull up Fiddler, you can replay your request and modify the sort epxression to be anything you like, and thus potentially introduce SQL-injection attacks. Rather than trusting that the SortExpression you get in your event handlers must have come from one of the SortExpression values you placed in your declarative ASP.NET code, a safer practice is to perform a lookup against the input value and return the actual expression that you want. The old adage says "never trust input data" for a reason.