<%
function sqlcheck(Str,errtype)
if Instr(LCase(Str),"select ") > 0 or Instr(LCase(Str),"insert ") > 0 or Instr(LCase(Str),"delete ") > 0 or Instr(LCase(Str),"delete from ") > 0 or Instr(LCase(Str),"count(") > 0 or Instr(LCase(Str),"drop table") > 0 or Instr(LCase(Str),"update ") > 0 or Instr(LCase(Str),"truncate ") > 0 or Instr(LCase(Str),"asc(") > 0 or Instr(LCase(Str),"mid(") > 0 or Instr(LCase(Str),"char(") > 0 or Instr(LCase(Str),"xp_cmdshell") > 0 or Instr(LCase(Str),"exec master") > 0 or Instr(LCase(Str),"net localgroup administrators") > 0  or Instr(LCase(Str),"and ") > 0 or Instr(LCase(Str),"net user") > 0 or Instr(LCase(Str),"or ") > 0 then
 Response.write("<script language=javascript>" & vbcrlf & "window.location.href ='ShowError.asp?errtype=" & errtype & "'" & vbcrlf & "</script>")
 Response.End
end if
Str=Replace(Str,"_","")     '過濾SQL注入_
Str=Replace(Str,"*","")     '過濾SQL注入*
Str=Replace(Str," ","")     '過濾SQL注入空格
Str=Replace(Str,chr(34),"")   '過濾SQL注入"
Str=Replace(Str,chr(39),"")            '過濾SQL注入'
Str=Replace(Str,chr(91),"")            '過濾SQL注入[
Str=Replace(Str,chr(93),"")            '過濾SQL注入]
Str=Replace(Str,chr(37),"")            '過濾SQL注入%
Str=Replace(Str,chr(58),"")            '過濾SQL注入:
Str=Replace(Str,chr(59),"")            '過濾SQL注入;
Str=Replace(Str,chr(43),"")            '過濾SQL注入+
Str=Replace(Str,"{","")            '過濾SQL注入{
Str=Replace(Str,"}","")            '過濾SQL注入}
sqlcheck=Str            '返回經過上面字符替換后的Str
end function
%>


function SafeRequest(ParaName,ParaType)
'--- 傳入參數 ---
'ParaName:參數名稱-字符型
'ParaType:參數類型-數字型(1表示以上參數是數字，0表示以上參數為字符)

Dim ParaValue
ParaValue=Request(ParaName)
If ParaType=1 then
If not isNumeric(ParaValue) then
Response.write "參數" & ParaName & "必須為數字型！"
Response.end
End if
Else
ParaValue=replace(ParaValue,"'","''")
End if
SafeRequest=ParaValue
End function


Function SafeRequest(ParaValue,ParaType)
       '--- 傳入參數 ---
       'ParaName:參數名稱-字符型
       'ParaType:參數類型-數字型(1表示以上參數是數字，0表示以上參數為字符)

       'Dim ParaValue
       'ParaValue=Request(ParaName)函數里面是不要加引號
       If ParaType=1 then
              If not isNumeric(ParaValue) then
                   Response.write " 參數" & ParaName & "必須為數字型！"
                     Response.end
              End if
       Else
              ParaValue=replace(ParaValue,"'","")
     ParaValue=replace(ParaValue,";and 1=1","")
     ParaValue=replace(ParaValue,";and 1=2","")
     ParaValue=replace(ParaValue,";and user>0","")
     ParaValue=replace(ParaValue,">","")
     ParaValue=replace(ParaValue,"<","")
     ParaValue=replace(ParaValue,"=","")
     ParaValue=replace(ParaValue,"count","")
     ParaValue=replace(ParaValue,"select","")
     ParaValue=replace(ParaValue,"drop","")
     ParaValue=replace(ParaValue,"delect","")
     ParaValue=replace(ParaValue,"insert","")
     ParaValue=replace(ParaValue,"execute","")
     ParaValue=replace(ParaValue,"update","")    
     ParaValue=replace(ParaValue,"mid","")
     ParaValue=replace(ParaValue,"exec","")
     ParaValue=replace(ParaValue,"master","")
     ParaValue=replace(ParaValue,"char","")
     ParaValue=replace(ParaValue,"declare","")
     ParaValue=replace(ParaValue,"*","")
     ParaValue=replace(ParaValue,"%","")
     ParaValue=replace(ParaValue,"chr","")
     ParaValue=replace(ParaValue,"truncate","")
       End if
       SafeRequest=ParaValue
End function
'調用方式
DirID=Request("DirID")'///數據目錄名稱參數/無則表示全部數據
DirID=SafeRequest(DirID,1)


Dim SQL_inbreakstr
SQL_inbreakstr = "'|or|and|exec|insert|select|delete|update|drop|count|*|%|chr|mid|master|truncate|char|declare"
SQL_inbreak = split(SQL_inbreakstr,"|")
R_Q=Request.QueryString
R_F=Request.Form
IF R_Q<>"" THEN
 For i=0 To Ubound(SQL_inbreak)
  IF instr(R_Q,SQL_inbreak(i))>0 THEN
   Response.Write "*****"
                           Response.End
  END IF
 Next
End IF

IF R_F<>"" THEN
 For i=0 To Ubound(SQL_inbreak)
  IF instr(R_F,SQL_inbreak(i))>0 THEN
   Response.Write "*****"
                           Response.End
  END IF
 Next
END IF


<%
'--------版權說明------------------
'SQL通用防注入程序 V2.0 完美版
'本程序由 火狐-楓知秋 獨立開發
'對本程序有任何疑問請聯系本人
'QQ:613548

'--------定義部份------------------
Dim Fy_Post,Fy_Get,Fy_In,Fy_Inf,Fy_Xh,Fy_db,Fy_dbstr
'自定義需要過濾的字串,用 "楓" 分隔
Fy_In = "'楓;楓and楓exec楓insert楓select楓delete楓update楓count楓*楓%楓chr楓mid楓master楓truncate楓char楓declare"
'----------------------------------
%>

Response.Write "<Script Language=JavaScript>alert('楓網SQL通用防注入系統提示↓\n\n請不要在參數中包含非法字符嘗試注入！\n\nHTTP://WwW.WrSkY.CoM  系統版本:V2.0(ASP)完美版');</Script>"
Response.Write "非法操作！系統做了如下記錄↓<br>"
Response.Write "操作ＩＰ："&Request.ServerVariables("REMOTE_ADDR")&"<br>"
Response.Write "操作時間："&Now&"<br>"
Response.Write "操作頁面："&Request.ServerVariables("URL")&"<br>"
Response.Write "提交方式：ＧＥＴ<br>"
Response.Write "提交參數："&Fy_Get&"<br>"
Response.Write "提交數據："&Request.QueryString(Fy_Get)
Response.End
End If
Next
Next
End If
'----------------------------------
%>

可以防止所有得sql注入：
Function SafeRequest(ParaName,ParaType)
 '--- 防止SQL注入 ---
 'ParaName:參數名稱-字符型
 'ParaType:參數類型-數字型(1表示以上參數是數字，0表示以上參數為字符)
 Dim ParaValue
 ParaValue=Request(ParaName)
 If ParaType=1 then
  If not isNumeric(ParaValue) then
   Response.write "<br><br><br><center><font color=red>參數" & ParaName & "必須為數字型！"
   Response.end
  End if
 Else
  ParaValue=replace(ParaValue,"'","''")
 End if
 SafeRequest=ParaValue
End function
來源：http://www.yesky.com/305/1899305.shtml