aleksl - 7:08 pm on Dec 12, 2011 (gmt 0)
incrediBILL, come on. DO you post here, or what? This Quick Reply box on the forum, how long of a string does it accept?
How long of a string do you accept as a search string on your search forms? How do you sanitize it?
What you are describing is sites that bring money, otherwise you can't possibly afford extensive re-wrights that are needed to fix cheaply built outsourced code and plug the holes. What you are talking about is top sites on the web, but small webmasters don't own top sites. Most of the small affiliates don't, etc. etc. In fact, even I would shut down several of our small non-profit sites rather than doing extensive and EXPENSIVE hole plugging.
As far as quick measures for classic asp:
1) what softty said above, parametrized query. Better yet, stored procedures. May not be suitable for everyone because may require website rewrite.
2) for any code: database tightening, user that is connecting to the database from a website
a) CANNOT BE "sa"
b) CANNOT HAVE ACCESS to system tables.