Verifying input to be passed to a SQL statement in VBScript

Verifying input to be passed to a SQL statement in VBScript

This is a very common mistake made when passing user supplied data to a SQL statement in VBScript: 

strUserData=request.form("Name") 
strSQLData="select Name from UserNames where Name='" & strUserData & '" 

If the string in Name contains a single quotation mark it will break the string and possibly returning a sql error or worse be used by someone with bad intentions to corrupt you database or steal information. 

One way around this is to make a function that replaces each single quote for double quotes, so that David's would be rendered as David''s, the final string would look like: 

Select Name from UserNames where Name='David''s' 

The Function would be: 

Function Quotes(strInput) 
strInput=replace(strInput,"'","''") 
End Function 

This function can then be included in any page that uses SQL Statements: 

strUserData=Quotes(request.form("Name"))