You could just code word all the SQL commands and then replace them on input....

so say we code Union as codeone and then on insert we say

<%Replace(Request.Form("field"),"Union", "codeone")%>

and then reverse it to display the form data when needed...

<%=Replace(RS("field"), "codeone", "Union")%>

be easier to assign the above to variable names first if you are coding a few words...so

strField = Request.Form("field")

then

strField = Replace(strField, "union", "codeone")
strField = Replace(strField, "insert", "codetwo")

etc...

hope it helps...

that was well written and very easy to understand. thank you.

You are very welcome and I hope it helped...it is probably not the most conventional method but the I think the less popular methods are less likely to be cracked.

Why not just use stored procedures to handle properly inserting items into the database. This would be the better bet instead of trying to guess the next major sql injection hack that comes down the road.

Example

public function spGetClientPageList(clientid)
 Set cmd = Server.CreateObject("ADODB.Command")
 Set cmd.ActiveConnection = connection
 cmd.CommandText = "StoredProcedureName"
 cmd.CommandType = adCmdStoredProc
 cmd.Parameters.Append cmd.CreateParameter("@clientid", adInteger,adParamInput,,clientid)
 Set RsRecordset = Server.CreateObject("ADODB.Recordset")
 RsRecordset.CursorType = adOpenForwardOnly
 RsRecordset.CursorLocation = adUseClient
 RsRecordset.Open cmd
 set spGetClientPageList = RsRecordset
 set cmd = nothing
end function

If you look through the recent post on SQL Injection attacks (http://www.webmasterworld.com/databases_sql_mysql/3657200.htm) it should help you.