classic ASP protection against SQL injection

Question

I\'ve inherited a large amount of Classic ASP code that is currently missing SQL injection protection, and I\'m working on it. I\'ve examined in detail the solutions offered

Answer 1

I use two layers of defense:

• create a 'cleanparameter' function, and every call that gets from querystring or form values, use it calling that function. The function at the very least should replace simple quotes, and also truncate the string to a value you pass. So, for example, if the field can't be longer than 100 chars, you would call it like x = cleanparameter(request.querystring("x"), 100). That's the first line of defense
• Use parameterized queries to run SQL instructions