Brian [..] > I'm using the following ASP replacements before the ncat var > is passed into the inline query: > > ncat = replace( ncat, "'", "''" ) > ncat = replace( ncat, """", "" ) > ncat = replace( ncat, ")", "" ) > ncat = replace( ncat, "(", "" ) > ncat = replace( ncat, ";", "" ) > ncat = replace( ncat, "-", "" ) > ncat = replace( ncat, "|", "" ) > ncat = replace( ncat, "<", "" ) > ncat = replace( ncat, ">", "" ) > ncat = replace( ncat, "script", "" ) I don't know offhand what you're missing, but one thing immediately springs to mind in terms of security. You appear to be cleaning your data, before adding it to your query and then executing it. Since you're removing all of the offending characters and strings rather than encoding them, it's clear that they are not valid input. If you receive invalid input, why are you then processing it instead of ceasing all processing and informing the user that they have entered invalid input? If someone's trying to hack your system, they're trying to hack your system. Although I don't really like real world comparisons, please forgive the following: If there's a burglar at my front door, I would feel safer not letting him in at all rather than giving him a quick pat-down for illegal weapons then letting him in. In addition, you are specifying all of the characters and strings that you *don't* allow. If this list changes because somebody finds another system vulnerability, you will have to a) be aware of it, and b) go back to your code to make further changes. I would personally URL-decode the input value, then check that it contained only alpha/numeric characters and spaces (or whatever your criteria are). If any further system vulnerabilities are discovered, you're unlikely to be compromised. HTH [..] -- Chris Marsh Software Developer t: +44 20 8246 4804 x828 f: +44 20 8246 4808 e: chris at globet.com w: http://www.globet.com/ Any opinions expressed in this email are those of the individual and not necessarily the Company. This message is intended for the use of the individual or entity to which it is addressed and may contain information that is confidential and privileged and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, please contact the sender immediately and delete it from your system.