If you connect to a database with your server side scripts, the most important task you have to do, is to validate the input before sending it to your database. We see things like this over and over again:

sql = "SELECT someFields " &_
"FROM myTable " &_
"WHERE user = '" & Request("user") & "' " &_
"ORDER BY someField"

This is just begging for trouble. Your site is a stting duck for SQL Injection attacks, whereby users will purposely input invalid data in an attempt to hack in. If you aren't checking the inputs before sending them to the database, eventually someone's coming in.

A better way to write the above query is something like this:

Dim user
user = Trim(Request("user"))
user = Replace(user, "'", "''")

If len(user) < 1 Then
Response.Write "Please Enter your user name"
Exit Sub
End If

sql = "SELECT someFields " &_
"FROM myTable " &_
"WHERE user = '" & user & "' " &_
"ORDER BY someField"

If you are using MS SQL Server, use stored procedures, learn the Command Object syntax, and abandon all other methods to access the database from applications wherever possible.

The problem with the original query is that one can purposely enter some bad things:
z'; delete from myTable--
z' union select name, dbid from master..sysdatabases--

It doesn't matter what databse you use, nor what scripting language you use. If you don't properly validate input server-side, you're asking for trouble. Things to check for:
- if u expect a number, make sure it IS one
- if you expect a string, check that it is greater than zero length, if you know how long it should be, make sure it is that long
- escape single quotes in string input by doubling them up.

Remember to validate all input: this means Post, Get and Cookie input. Even if it is a hidden form element, validate it. A hacker won't use his web browser (for long) to get in, he's going to write a script to post garbage at ya, and see if he can crack in.

I won't go into more detail as there are some good references, and of course a quick search on your favorite SE will pull up more.

http://www.nextgenss.com/papers/adva..._injection.pdf (PDF)

http://66.102.7.104/search?q=cache:e...njection&hl=en (HTML of above)

http://www.securiteam.com/securityre...DP0N1P76E.html

http://www.unixwiz.net/techtips/sql-injection.html

boy that would be cool if AB would stick-*** this for a while...