Dim Fy_Post,Fy_Get,Fy_In,Fy_Inf,Fy_Xh,Fy_db,Fy_dbstr,Kill_IP,WriteSql
'自定義需要過濾的字串,用 "|" 分隔
Fy_In = "'|;|and|(|)|exec|insert|select|delete|update|count|*|%|chr|mid|master|truncate|char|declare|exist|drop"
Kill_IP=True
WriteSql=True           
'----------------------------------
Fy_Inf = split(Fy_In,"|")
'--------POST部份------------------
If Request.Form<>"" Then
    For Each Fy_Post In Request.Form
        For Fy_Xh=0 To Ubound(Fy_Inf)
            If Instr(LCase(Request.Form(Fy_Post)),Fy_Inf(Fy_Xh))<>0 Then
            Response.Redirect "/index.asp"
            Response.End
            End If
        Next
    Next
End If
If Request.QueryString<>"" Then
    For Each Fy_Get In Request.QueryString
        For Fy_Xh=0 To Ubound(Fy_Inf)
            If Instr(LCase(Request.QueryString(Fy_Get)),Fy_Inf(Fy_Xh))<>0 Then
            Response.Redirect "/index.asp"
            Response.End
            End If
        Next
    Next
End If

Public Function execSqlOpen(connect,cursorType,lockType,args())
      set cmdTemp = server.CreateObject("ADODB.Command")
          cmdTemp.ActiveConnection = connect
          cmdTemp.Prepared = true
          cmdTemp.CommandText = args(0)
    Dim i  
        For i = 1 To UBound(args)  
           set paramTemp = cmdTemp.CreateParameter("",201,1,Len(args(i))+10,args(i))
        cmdTemp.Parameters.Append paramTemp
        Next   
          set rsTemp=server.CreateObject("adodb.recordset")
          rsTemp.open cmdTemp,,cursorType,lockType
          set execSqlOpen = rsTemp
end function

Public Function execSqlExecute(connect,args())
      set cmdTemp = server.CreateObject("ADODB.Command")
          cmdTemp.ActiveConnection = connect
          cmdTemp.Prepared = true
          cmdTemp.CommandText = args(0)
    Dim i
        For i = 1 To UBound(args)  
           set paramTemp = cmdTemp.CreateParameter("",201,1,Len(args(i))+10,args(i))
        cmdTemp.Parameters.Append paramTemp
        Next   
          set execSqlExecute = cmdTemp.execute
end function

sql="select * from table where column='"&column&"'"
set rs=server.CreateObject("ADODB.recordset")
rs.Open sql,conn,1,1
=>
dim args
args = Array("select * from table where column = ?",column)
set rs = execSqlOpen(conn,1,1,args)

sql="select * from table where 1=1 and column1='"&request("column1")&"'"
if column2<>"" then
sql=sql&" and column2 like '%"&column2&"%'"
end if
if column3<>"" then
sql=sql&" and column3 ="&column3&""
end if
sql=sql&" order by column4 desc;"
Set rs= Server.CreateObject("ADODB.Recordset")
rs.open sql,conn,1,1
=>
dim args
args = Array("select * from table where 1=1 and column1=?",request("column1"))
if column2<>"" then
args(0)=args(0)&" and column2 like ?"
ReDim Preserve args(UBound(args)+1)
args(UBound(args)) = "%"&column2&"%"
end if
if column3<>"" then
args(0)=args(0)&" and column3 =?"
ReDim Preserve args(UBound(args)+1)
args(UBound(args)) = column3
end if
args(0)=args(0)&" order by column4 desc;"
set rs = execSqlOpen(conn,1,1,args)

Set Rs_t=Conn.Execute("Select column From "&table&" where column1="&column1)
=>
dim args
args = Array("Select column From "&table&" where column1=?",column1)
set Rs_t = execSqlExecute(conn,args)

set rs=conn.execute("select * from table where column="&request("column"))
=>
dim args
args = Array("select * from table where column = ?",request("column"))
set rs = execSqlExecute(conn,args)

conn.execute("update table set column = '"&column&"'")
=>
dim args
args = Array("update table set column = ?",column)
call execSqlExecute(conn,args)