Good way to sanitize input in classic asp

Sander Versluys picture Sander Versluys · Jan 14, 2009 · Viewed 12.2k times · Source

I have to update old projects at work. I do not have any experience with classic asp, although i'm familiar with php scripting.

  • Are there any functions I should use?
  • Can you provide me with a good function for some basic protection?
  • Is there something like a parameterized query in asp?

Thanks!

Answer

Flory picture Flory · Jan 14, 2009

Yes you can use parametrized queries in classic ASP (more accurately, classic ADO).

Here is a link.

As for encoding output, I might be tempted to create a wrapper for the latest Microsoft Anti-XSS library and call it with Server.CreateObject. I am far from an expert on this kind of thing as I spend much more time in .Net, so I only think this would work.

Server.HTMLEncode is really not good enough, as it only blacklists a few encoding characters. The Anti-XSS library is much better as it whitelists what is acceptable.