Ken Schaefer wrote: > The reason we have SQL injection issues is because programmers (mostly) suck at writing SQL parsers. But we still try anyway. We concatenate SQL commands (e.g. SELECT ...) with actual data, and then try to make sure the data is sane. > > That's the wrong way to go about it. Most DBMSes already have excellent parsers that can build a query plan, and then you just supply the data. > > So, *use* the prepared statement technology that exists for your DBMS! If you are using ASP, then ADO provides Command objects that you can use against sprocs (or even inline SQL). ASP.NET likewise provides prepared statement support. > > Use this, and you are then relying on the DBMS to take your SQL statement, and your data, and prepare the necessary query execution plan. And barring a bug in the DBMS implementation, you'll be invulnerable to SQL injection attack. > Exactly. Ken gave me the save advice probably 3 years ago on a similar issue. As I sit now, all of my code is parsed through regex's, and all sql commands are ado. to the OP, hit me up off list if you would like me to share with you some classic ASP functions for cleaning data. Again, it's not perfect, but it will help. And with the ado params, you're golden.