и сразу в догонку вопрос, есть уязвимость, есть ошибка в бд

вот такого плана:

Incorrect syntax near ', '.

Unclosed quotation mark after the character string ' ORDER BY createTime DESC'.

Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.

Exception Details: System.Data.SqlClient.SqlException: Incorrect syntax near ', '.

Unclosed quotation mark after the character string ' ORDER BY createTime DESC'.

Source Error:

An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.

Stack Trace:

[SqlException (0x80131904): Incorrect syntax near ', '.

Unclosed quotation mark after the character string ' ORDER BY createTime DESC'.]

System.Data.SqlClient.SqlConnection.OnError(SqlExc eption exception, Boolean breakConnection, Action`1 wrapCloseInAction) +388

System.Data.SqlClient.TdsParser.ThrowExceptionAndW arning(TdsParserStateObject stateObj, Boolean callerHasConnectionLock, Boolean asyncClose) +717

System.Data.SqlClient.TdsParser.TryRun(RunBehavior runBehavior, SqlCommand cmdHandler, SqlDataReader dataStream, BulkCopySimpleResultSet bulkCopyHandler, TdsParserStateObject stateObj, Boolean& dataReady) +4515

System.Data.SqlClient.SqlDataReader.TryConsumeMeta Data() +61

System.Data.SqlClient.SqlDataReader.get_MetaData() +134

System.Data.SqlClient.SqlCommand.FinishExecuteRead er(SqlDataReader ds, RunBehavior runBehavior, String resetOptionsString) +6557689

System.Data.SqlClient.SqlCommand.RunExecuteReaderT ds(CommandBehavior cmdBehavior, RunBehavior runBehavior, Boolean returnStream, Boolean async, Int32 timeout, Task& task, Boolean asyncWrite, SqlDataReader ds) +6560327

System.Data.SqlClient.SqlCommand.RunExecuteReader( CommandBehavior cmdBehavior, RunBehavior runBehavior, Boolean returnStream, String method, TaskCompletionSource`1 completion, Int32 timeout, Task& task, Boolean asyncWrite) +586

System.Data.SqlClient.SqlCommand.RunExecuteReader( CommandBehavior cmdBehavior, RunBehavior runBehavior, Boolean returnStream, String method) +104

System.Data.SqlClient.SqlCommand.ExecuteReader(Com mandBehavior behavior, String method) +288

System.Data.SqlClient.SqlCommand.ExecuteReader(Com mandBehavior behavior) +237

Baina.Library.Core.SqlDataContext.ExecuteReader(Co mmandType cmdType, String cmdText, IList`1 commandParameters) +251

Baina.Library.Core.EntityRepository`1.Query(ICrite ria criteria) +395

Baina.Flikie.Wallpaper.WallpaperService.QueryInter nal(String keyword, String resolution, Int32 contentLevel, String order, Int32 startIndex, Int32 resultSize) +134

Baina.Flikie.Wallpaper.WallpaperService.QueryFromC acheOrInternal(String keyword, String resolution, Int32 contentLevel, String order, Int32 sIndex, Int32 resultSize) +348

Baina.Flikie.Wallpaper.WallpaperService.Query(Stri ng keyword, String resolution, Int32 contentLevel, String order, Int32 startIndex, Int32 resultSize) +338

Baina.Flikie.Wallpaper.UserWallpaperService.QueryW allpaper(Int32 userId, String keyword, String resolution, Int32 contentLevel, String order, Int32 startIndex, Int32 resultSize) +87

Baina.Flikie.Web.MobileSite.Controllers.WallpaperC ontroller.GetWallpaperSearchResult(Int32 userId, String keywords) in D:\dolphin\Flikie\MobileSite\Controllers\Wallpaper Controller.cs:96

Baina.Flikie.Web.MobileSite.Controllers.WallpaperC ontroller.Index(Int32 id, String wallpaperName) in D:\dolphin\Flikie\MobileSite\Controllers\Wallpaper Controller.cs:132

lambda_method(Closure , ControllerBase , Object[] ) +167

System.Web.Mvc.ReflectedActionDescriptor.Execute(C ontrollerContext controllerContext, IDictionary`2 parameters) +247

System.Web.Mvc.ControllerActionInvoker.InvokeActio nMethod(ControllerContext controllerContext, ActionDescriptor actionDescriptor, IDictionary`2 parameters) +39

System.Web.Mvc.<>c__DisplayClassd.b__a() +120

System.Web.Mvc.ControllerActionInvoker.InvokeActio nMethodFilter(IActionFilter filter, ActionExecutingContext preContext, Func`1 continuation) +637

System.Web.Mvc.ControllerActionInvoker.InvokeActio nMethodWithFilters(ControllerContext controllerContext, IList`1 filters, ActionDescriptor actionDescriptor, IDictionary`2 parameters) +307

System.Web.Mvc.ControllerActionInvoker.InvokeActio n(ControllerContext controllerContext, String actionName) +720

System.Web.Mvc.Controller.ExecuteCore() +162

System.Web.Mvc.<>c__DisplayClass8.b__4() +58

System.Web.Mvc.Async.<>c__DisplayClass1.b__0() +15

System.Web.CallHandlerExecutionStep.System.Web.Htt pApplication.IExecutionStep.Execute() +606

System.Web.HttpApplication.ExecuteStep(IExecutionS tep step, Boolean& completedSynchronously) +288

но не критится, может я что не так делаю?