When building a website that connects to a SQL database (i.e. Microsoft Access or SQL Server) it is of crucial importance that care is taken to be aware of SQL Injection Attacks.  These typically occur when the website allows the website user to enter content through online forms (particularly textboxes).  However, the lack of strong variable typing in classic ASP means that any variable that is retrieved from the user's browser can be vulnerable to being used in a SQL injection attack.  At the very least, it would allow the user to perhaps login to a website without needing to know a username and/or password.  Depending on the security settings in the website's database, they may even be able to delete data or execute arbitrary system commands on the machine hosting the database server.

Classic ASP is particularly vulnerable to SQL injection attacks.  For example, a web page that retrieves a particular record from a database table row by retrieving the row's primary key from the querystring can be potentially used in a SQL injection attack.  If the user visits a URL, such as http://www.ajobwebsite.com/jobs/showjob.asp?JobID=12227, then they may be able to append a certain sequence of characters to the end of the JobID in order to force a SQL injection attack.  Fortunately, this particular SQL injection attack can be mitigated by ensuring that showjob.asp converts the JobID query string parameter to a number by using the Cint() function in VBScript or Math.round() in JScript.

Ideally, all user input derived from query string parameters and form fields should be cleansed in order to remove any characters that do not need to be present in a particular variable.  For example, a number field should only contain numbers.  Using the VBScript Replace function can easily achieve this.  Particular care should be taken to remove single quotes or dashes from user input, unless they are specifically needed in a particular variable (for a person's name).  Single quotes should also be converted to double quotes before the variable is used in a SQL statement.

There are two other ways of minimizing the chance of SQL injection attacks occurring.  The first is to use stored procedures to carry out all database queries, rather than constructing SQL statements in the web page itself.  The second is to use the ADO or ADO.NET Command object to carry out database connectivity.  An article on ASPAlliance shows further details of this: http://aspalliance.com/385.

Finally, on an SQL Server, using a dedicated database user with the minimum set of permissions required will prevent a malicious user from being able to do too much, should they discover a way of performing SQL injection attacks against the database.

If you would like to know more about the dangers of SQL injection attacks, as well as information about some of the other dangers facing websites, then the NGS Software website has some useful whitepapers - see http://www.ngssoftware.com.  Of particular note are the whitepapers on SQL injection attacks: "Advanced SQL Injection in SQL Server Applications," http://www.ngssoftware.com/papers/advanced_sql_injection.pdf, "(more) Advanced SQL Injection", http://www.ngssoftware.com/papers/more_advanced_sql_injection.pdf and "Writing Secure ASP Scripts," http://www.ngssoftware.com/papers/asp.pdf.