Hello,

I am generally a php guy. But right now I need to update entries in SQL Server using ASP.
Does anyone know how to escape malicious data before putting it into the database? The following is what am doing right now
Many thanks in advance.

Dim inactiveList

' Get ids from the check boxes
inactiveList = Request.Form("inactive")

Set rs = Server.CreateObject("ADODB.RecordSet")

' Escape single quote
inactiveList = Replace(inactiveList,"'","''")

' Get rid of white space
inactiveList = Replace(inactiveList," ","") 

' put single quotes around the listnums
inactiveList = Replace(inactiveList,",",",'") 
inactiveList = "'" & inactiveList & "'"



If inactiveList <> "''" Then	
	sql = "UPDATE table1 SET status=0 WHERE ID IN(" & inactiveList & ")"
	rs.open sql, connStr
End If

u dont need recordset to update the records

u can just do that

by

connectionName.execute(sql_statement)

other than that i dont see any problem


also u r making recordset way earlier than u need it
its waste of resource i guess although very little at this level but in big application it does affect.