The big rule of doing any CRUD data jobs in any ASP/ASP.NET app with SQL Server is that you MUST use parameterized queries.

http://msdn.microsoft.com/en-us/library/cc676512.aspx

The article above though also outlines using Regular expressions to protect your web app by validating data before passing it through.

Below are some example functions for testing for int and removing anything other than int information from a string. Both provide a first basic layer to stopping SQL injection attacks in classic ASP, as lot of web apps use int as a key field in a in a database, hence it gets passed through with a querystrings. Hopefully these will prove useful to someone else.

function IsInt(strOriginalString)
dim objRegExp : set objRegExp = new RegExp
with objRegExp
.Pattern = "^\d+$"
.IgnoreCase = True
.Global = True
end with

IsInt = objRegExp.test(strOriginalString)
set objRegExp = nothing
end Function

function OnlyInt(strOriginalString)
Dim regEx, Match, Matches,returnString ' Create variable.
Set regEx = New RegExp ' Create a regular expression.
regEx.Pattern = "\d+" ' Set pattern.
regEx.IgnoreCase = True ' Set case insensitivity.
regEx.Global = True ' Set global applicability.
Set Matches = regEx.Execute(strOriginalString) ' Execute search.
For Each Match in Matches ' Iterate Matches collection.
returnString = returnString & Match.Value
Next
OnlyInt = returnString
end Function