There are two kinds of injection attacks. One is SQL Injection, which is when the user enters SQL code which you the programmer concatenate and turn into one big SQL command. This is prevented by parameterizing what the user enters. This also requires NO cleaning up of the user's entries.

Instead of

m.lcCmd = "select * from table where field = " + thisform.userentry

do

m.lcUserEntry = thisform.userentry
m.lcCmd = "select * from table where field = ?m.lcUserEntry"

The other injection is HTML / Javascript being entered into the fields. These you do have to try and filter out.

>In the meantime the site was attacked again. I'm waiting for my colleagues to come and cleaning the database again.
>
>>You're welcome :)
>>
>>>Wow, this will take me a while to go through. Thanks for doing this research for me.
>>>
>>>>>Hi everybody,
>>>>>
>>>>>I'm thinking, that instead of trying to intercept every request we may try to use UPDATE/INSERT triggers for every table and reject entries contaning < script > Does it sound like a better approach?
>>>>>
>>>>>What do you think?
>>>>>
>>>>>Thanks in advance.
>>>>
>>>>I think it would make sense to research it fully. Here's a few to get you started:
>>>>
>>>>http://www1.cs.columbia.edu/~angelos/Papers/sqlrand.pdf
>>>>http://www.securiteam.com/securityreviews/5DP0N1P76E.html
>>>>http://www.codeproject.com/KB/database/SqlInjectionAttacks.aspx
>>>>http://msdn.microsoft.com/en-us/library/bb355989.aspx
>>>>http://blogs.technet.com/swi/archive/2008/05/29/sql-injection-attack.aspx
>>>>http://www.colinmackay.net/tabid/57/Default.aspx
>>>>http://msdn.microsoft.com/en-us/library/aa224806.aspx
>>>>
>>>>There are some appliances and tools like WatchFire AppScan, Applicure's DotDefender, or eEye's REM Security Management Appliance. Most are cost prohibitive though.
>>>>
>>>>One thing you can do though is download the trialware of some checking tools so you use it as a test to check for vulnerabilities....
>>>>
>>>>http://www.security-hacks.com/2007/05/18/top-15-free-sql-injection-scanners