https://pcx3.com/how-to-find-snd-stop-sql-injection-attacks/

connection.asp

<%
 
 strDBConnection = "Provider=SQLOLEDB.1;Persist Security Info=False;User ID=bevnet_sa;Initial Catalog=xxxx;Data Source=localhost;Network Library=DBMSSOCN;uid=xxxx;password=xxxx" 
 

Function connection_DBLookUpSP(strSQL)
  
  Dim rsResults
  Dim varResult

 if InStr(strSQL, "EXEC(") Then 
	Response.END
 End if

  Dim ErrorMessage

  

  	Set rsResults = Server.CreateObject("ADODB.Recordset")
	
	rsResults.Open strSQL, strDBConnection
	If Not rsResults.EOF Then
		varResult = rsResults(0)
	Else
		varResult = ""
	End If
	rsResults.Close
	Set rsResults = Nothing
  
	connection_DBLookUpSP = varResult
 
  
End Function


Function connection_DBLookUp(strColumnName, strTableName, strWhere)
  
  Dim rsResults
  Dim varResult
  Dim strSQL
  Dim ErrorMessage

 if InStr(strWhere, "EXEC(") Then 
	Response.END
 End if
 if InStr(strColumnName, "EXEC(") Then 
	Response.END
 End If
 if InStr(strTableName, "EXEC(") Then 
	Response.END
 End If

  strSQL = "SELECT " & strColumnName 
  If Len(CStr(strTableName)) > 0 Then 
	
	strSQL = strSQL & " FROM "  & strTableName 
	
	If Len(CStr(strWhere)) > 0 Then strSQL = strSQL & " WHERE " & strWhere

  	Set rsResults = Server.CreateObject("ADODB.Recordset")
  
	rsResults.Open strSQL, strDBConnection
	If Not rsResults.EOF Then
		varResult = rsResults(0)
	Else
		varResult = ""
	End If
	rsResults.Close
	Set rsResults = Nothing
  
	connection_DBLookUp = varResult
 
  Else
		connection_DBLookUp = ""
  End If 
End Function

Function connection_GetRecordset(strSQL)
  'this function returns a disconnected recordset

 if InStr(strSQL, "EXEC(") Then 
	Response.END
 End if

	

   Dim objConn
   Dim objRecordset
   Dim strErrorDescription 

   'Open a connection
   On Error Resume Next
		Set objConn = Server.CreateObject("ADODB.Connection")
		objConn.Open strDBConnection
   
   If Err.number <> 0 then
    
		Response.Write Err.Description
		Response.END

	    
    End If
   
  ' On Error Resume Next
		'Create the Recordset object
		Set objRecordset = Server.CreateObject("ADODB.Recordset")
		objRecordset.CursorLocation = 3

		'Populate the Recordset object with a SQL query
		objRecordset.Open strSQL, objConn, 3, 4

		'Disconnect the Recordset
		Set objRecordset.ActiveConnection = Nothing

		'Return the Recordset
		Set connection_GetRecordset = objRecordset

		'Clean up...
		objConn.Close
		Set objConn = Nothing
	 
	 If Err.number <> 0 then
   		
			Response.Write "OR HERE" & Err.Description
		Response.END
   	
   		'Call utility_displayError("Error executing query.", strErrorDescription & "<br><br>" & strSQL)	
	
	    
    End If
   

	
End Function

Function connection_executeCommand(strSQL)

 if InStr(strSQL, "EXEC(") Then 
	Response.END
 End if


	Dim objDBConn
	Set objDBConn = Server.CreateObject("ADODB.Connection")
	objDBConn.Open strDBConnection
	objDBConn.Execute strSQL
	objDBConn.Close
	Set objDBConn = NOTHING
End Function



Function connection_createGuid()
  Dim TypeLib, tg
  Set TypeLib = Server.CreateObject("Scriptlet.TypeLib")
  tg = TypeLib.Guid
  connection_createGuid = Replace(Replace(Replace(left(tg, len(tg)-2),"-",""),"}",""),"{","")
  Set TypeLib = Nothing
End Function


Function connection_SQLEncode(str)


	If isNull(str) Then
		str = "" 
	End If

	
	Dim tmpEncodeStr 
	tmpEncodeStr = str

	tmpEncodeStr = "'" & Replace (str, "'", "''" ) & "'" 


	connection_SQLEncode = tmpEncodeStr

End Function	


%>