Notes on ASP development web pages are recommended from RAINMAN_NET's Blog
Keywords ASP web development matters to keep in mind
Source
Never believe that the content entered by the user is of the right size or contains the right characters. User input should always be validated before using it to make decisions. The best option is to create a COM+ component so that you can call it from the ASP page to verify the user's input. You can also use the Server.HTMLEncode method, the Server.URLEncode method, or one of the code examples at the bottom of this page.
Do not create database connection strings in ASP pages by connecting strings entered by the user. Malicious users can obtain access to the database by inserting code into their input. If you are using an SQL database, use stored procedures to create a database connection string.
Do not use the default SQL administrator account name sa. Every user using SQL knows that the sa account exists. Create another SQL management account with a secure and reliable password and delete the sa account.
Before you store client user passwords, please use a hashing algorithm, base64 encoding for these passwords, or use Server.HTMLEncode or Server.URLEncode for encoding. You can also use a code example at the bottom of this page to verify characters in the client password.
Do not place administrative account name or password in administrative scripts or ASP pages.
Don't make decisions in the code based on the requested title, because the title data can be forged by malicious users. Always encode the requested data or use the following code example to verify the characters it contains.
Do not store secure data in cookies or hide input fields in web pages.
Always use Secure Sockets Layer (SSL) for session-based applications to avoid the risk of sending session cookies without encrypting them. If the session cookie is not encrypted, a malicious user can use the session cookie in one application to enter another application in the same process as it.
When writing ISAPI applications, filters, or COM+ objects, be aware of buffer overflows due to the size of variables and data. Also note the normalization problems that may be caused by interpretation, such as interpreting absolute pathnames as relative pathnames or URLs.
The simulated token will be outdated when an ASP application running within a single threaded unit (STA) switches to a multi-threaded unit (MTA). This can cause the application to run without simulation, allowing it to run effectively with an identity that may allow access to other resources. If you have to switch the threading model, disable the application and uninstall it before making the change.