How to validate user input

I am developing a web site which allow users to input sql query language for corresponding results.
But, are there any function or method in asp can check user input,instead of giving me errors back.
eg. There is a input field, allow user to input sql language, but if user input any wrong code,such as "dfds" "gergr". Those will incur error. How can I sort it out?


Cheers

It is possible to tell ASP to ignore any errors that occur by adding the following line before your potentially erroneous code:

You should probably write some validation code that looks for certain trends in the input. I have no idea how you'd do this in ASP, so I'll write it out in plain English.

First off, I don't imagine you're going to want anybody to do any DELETING or DROPPING or CREATING. I'd also be leery of allowing UPDATING from an interface like this, as your database stands a very good chance of being hosed. Your database privileges can prevent these types of actions, but it'd also be good to preempt that denial by sending back errors if users event attempt to perform these actions.

So you'd read in the query they submit and search the string for these key words. If you find one, print the appropriate error message and exit.

As for selects, you just need to validate the right query format. So you'd want to check to make sure a string started with "SELECT" (case-insensitive), then some text or numeric values and then "FROM" and at least one word following "FROM." Optionally, you should look for "WHERE" or "LEFT JOIN" or other sets of key words that'd fit here, followed by key/value pairs and either zero quotation marks or an even number of question marks.

If the query sent doesn't match the basic format of a valid query, error and return a message. The database does this, of course, but by first validating the queries, you're saving database load and ensuring that valid but malicious queries (DELETE * FROM users) don't get that far along in the process.