I have a new client with a large site written all in classic asp. They have a login page that validates against an MS SQL database that is wide open to SQL injection attacks (I even demonstrated to the client: 'hi' or 1 = 1-- ) So, I need to swap out "SELECT * FROM users WHERE userid = '" & user_id & "' AND password = '" & password & "'" with parameters: "SELECT * FROM users WHERE userid = @userid AND password = @password" But I am having trouble figuring out how to do this in classic ASP. I'm getting rather tired trying to find the answer on google. http://www.webconcerns.co.uk/asp/accessqueries/accessqueries.asp http://www.webconcerns.co.uk/asp/accessqueries/accessqueries.asp http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ado270/htm/mdmthcreateparam.asp To name a few. I'm not looking for a free handout- just a point in the right direction. Thanks.