I've just inherited an asp.net 1.1 app that has all passthru sql and no measures in places to stop any sql injection monkey business. I showed the folks that wrote the application how to get full access to their administration panel and they about croaked.

I prefer a data access layer and stored procedures but that's going to be a 2 week effort so in the meantime I need a stop gap measure that keeps the application secure.

I added a class to the project (regex not fully tested yet):

Imports System.Text.RegularExpressions
Public Class SQLUtilities
 REM *****************************************************************
 REM Remove any non alpha-numeric data from the command
 REM *****************************************************************
 Public Function CommandSecurity(ByVal sqlCommand As String) As String
 Return CStr(Regex.Replace(sqlCommand, "^.*[^A-Za-z0-9].*$", ""))
 End Function
End Class

Then I have to fire this thing in roughly 50+ methods that span over 4000 lines of code. Sorta like this:

Dim SQLUtil As New SQLUtilities
Dim mySQL = " select * from table where col1='" + SQLUtil.CommandSecurity(valOne) + "' and col2='" + SQLUtil.CommandSecurity(valTwo) + "'"

Is there an easier way to do this?