ASP sql injection hack

Hi,

I have inherited an  (old) ASP site (I'm a perl/c/Java programmer). The database on the backend (SQL 2005) was compromised by what I believe was SQL injection. The hacker put in a string calling a javascript into several text fields in one of my tables. I've deleted the offending data and it hasn't come back, yet. Looking around on message boards it looks like it was done to others today at the same time. The consensus in these boards is that is was an SQL Injection hack.
I've been doing some reading about this and it's probably the way it did happen on my site. The ASP is quite old (written in 2003).
I can't find anyplace in the ASP where the original programmer escaped the user inputed data (quotes, backticks, etc..).
So my first question is this.
How do I escape my fields to protect me against these bad chars. In perl I would just use a RegEx -- I assume it's similar in ASP but I don't know the syntax -- I'm trying to get this in asap.

Second question.
Here is a snip of the code in the script that updates the database. I'm not sure what this "replace" function is doing -- is that actually escaping any 'bad' chars? If so, then I guess the hacker got in some other way....

Thanks!!

Mike


Start Free Trial

1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
14:
15:
16:
17:

<!-- #INCLUDE File="../ADOVBS.INC" -->
 
Query = "SELECT * FROM ANC WHERE (AncID = " & iAncID & ") "
	adoAnc.Open Query, Connect  ,adopenstatic, adlockreadonly
	
		if adoAnc.eof then
			sqlq="INSERT INTO ANC (Anc1, From, To, Header, ID) "
			sqlq=sqlq & "VALUES ('" & replace(request.form("Message"),"'","''") & "', '" & request.form("FromDt") & "','" & request.form("ToDt") & "', '" & replace(request.form("Head"),"'","''") & "', " & iID & ")"
		
		end if
 
 
		set adoCommand=Server.CreateObject("ADODB.Command")
 		Set adoCommand.ActiveConnection = Connect
 		adoCommand.CommandType = adCmdText
		adoCommand.CommandText = sqlq
		adoCommand.execute , , adExecuteNoRecords