<% Private Function HTMLDecode(byVal encodedstring) Dim tmp, i tmp = encodedstring tmp = Replace( tmp, """, chr(34) ) tmp = Replace( tmp, "<" , chr(60) ) tmp = Replace( tmp, ">" , chr(62) ) tmp = Replace( tmp, "&" , chr(38) ) tmp = Replace( tmp, " ", chr(32) ) For i = 1 to 255 tmp = Replace( tmp, "&#" & i & ";", chr( i ) ) Next HTMLDecode = tmp End Function Function IllegalChars(sInput) 'Declare variables Dim sBadChars, iCounter 'Set IllegalChars to False IllegalChars=False 'Create an array of illegal characters and words sBadChars=array("update","select", "drop", "insert", "delete", "xp_","#", "&", "(", ")", "/", "\", ":", ";", "<", ">", "=", "[", "]", "?", "`", "|") sBadChars2=array("CAST","CHAR","SET","-","update","select", "drop", "insert", "delete", "xp_", "DECLARE","NVARCHAR","varchar","CURSOR","Table_Cursor","","","www3.800mg.cn","w.js","","""","'",";",";-","0x4","EXEC(",");SET",");SET","0;","/t_blank","EXEC",".JS","UPDATE","@S=CAST","(",")","AS CHAR(4000)","4000","AS CHAR","AS }}{ ","[at] S }","(","[","{","}","\","(","\",")","\","^","$","&","_","%","#","!","/","\","?","/","\",",","$","!","[","]","""","'",";",";-","(",")","(","[","{","}","\","(","\",")","\","^","$","&","_","%","#","!","/","\","?","/","\",",","$","!",".","-","+","*",":","<",">","=","[","]") 'Loop through array sBadChars using our counter & UBound function For iCounter = 0 to uBound(sBadChars) 'Use Function Instr to check presence of illegal character in our variable If Instr(sInput,sBadChars(iCounter))>0 Then IllegalChars=True End If Next End function sBadChars2=array("CAST","CHAR","SET","-","update","select", "drop", "insert", "delete", "xp_", "DECLARE","NVARCHAR","varchar","CURSOR","Table_Cursor","","","www3.800mg.cn","w.js","","""","'",";",";-","0x4","EXEC(",");SET",");SET","0;","/t_blank","EXEC",".JS","UPDATE","@S=CAST","(",")","AS CHAR(4000)","4000","AS CHAR","AS }}{ ","[at] S }","(","[","{","}","\","(","\",")","\","^","$","&","_","%","#","!","/","\","?","/","\",",","$","!","[","]","""","'",";",";-","(",")","(","[","{","}","\","(","\",")","\","^","$","&","_","%","#","!","/","\","?","/","\",",","$","!",".","-","+","*",":","<",">","=","[","]") Set conn = Server.CreateObject("ADODB.Connection") conn.Open "Provider=SQLOLEDB;Data Source=localhost;uid=aassqq1;pwd=#%AA~II12;database=interviewq" 'Conn.Open "Data Source=" & Server.Mappath("db5.mdb") & ";Provider=Microsoft.Jet.OLEDB.4.0;" %>