Hey all,
I'm looking for the best way to protect my classic ASP site from SQL Injection. I've created "whitelist" and "blacklist" functions which have an array of permitted and not permitted letters/words, respectively. But my blacklist has words like: "drop," "alter," "begin," "end," etc, which tend to be used more frequently than I had anticipated. As it is, if any word on the blacklist is present, the SQLInjectCheck fails and the form submission is lost and the user is redirected to an error page.
I want to make this better, without having to learn a new language or framework, but I'm unsure how to go about doing it. Before I start I wanted to ask around to see how others are handling this. I was thinking about converting the string to ASCII, and then reconvert them when I pull it out of the database, which would essentially sanitize the injection, but I'm not sure if there is a better method.
Any tips/pointers/links would be greatly appreciated.
