Little snippet in ASP to protect from SQL Injections

[code]
<%
'Snippet to protect SQL database from common sql injections
'PLEASE THIS CODE ON THE FORM PROCESSING ASP PAGE OR PROCESS THIS AS A FUNCTION AT TIME OF FORM SUBMISSION
'this code disallows the following characters and phrases in all form fields
' *, ; , ' , \ , select, sys, exec, delete, update, insert
'I like to use this as my final validation. I use javascript validations to avoid blank entries, etc.. but this is great to use as a FINAL check before processing a form.
'Happy CODING!





response.Buffer = True

for each item in request.form
if Trim(Lcase(Instr(request.form(item),"*")))or Trim(Lcase(Instr(request.form(item),"'"))) or Trim(Lcase(Instr(request.form(item),";"))) or Trim(Lcase(Instr(request.form(item),"select"))) or Trim(Lcase(Instr(request.form(item),"sys"))) or Trim(Lcase(Instr(request.form(item),"exec"))) or Trim(Lcase(Instr(request.form(item),"delete"))) or Trim(Lcase(Instr(request.form(item),"update"))) or Trim(Lcase(Instr(request.form(item),"insert"))) or Trim(Lcase(Instr(request.form(item),"\"))) THEN
response.write"<BR>THERE WAS AN ERROR PROCESSING YOUR FORM<br><a href='javascript:history.go(-1)'>Go back to edit your form</a>"
'STOP PROCESSING THE FORM AND SEND ERROR MESSAGE ABOVE.. YOU CAN CUSTOMIZE THIS AREA
response.End()
else
End if
next
Response.write"YOUR FORM WAS SUBMITTED SUCCESSFULLY!"
'continue executing your form and insert/updates into database
%>

Well, I wouldn't use this code but each to their own ...

That's alot of restriction of input especially if a user is submitting a message (memo or large text field)


The basics for SQL injection for ADO is to escape an apostrophe/single quote that encloses text/date fields.

You do this by Replacing one quote with two


For number fields you check if the parameter is a numerical value.
You can also do the quote replace but it's not essential if you have other sanitization and validation.