PCI Check help please

We recently ran a PCI check on our website to see if it was totally secure.

In the report, it was noted that we have got 6 security holes.

The error we are getting is:

The following CGI script seem to be vulnerable to various SQL injection techniques.

This error was being shown for a value from a html form called 'what', which would always have a value of '1'.

In order to try and solve the problem, i have changed the value of what from '1' to Clng(1) which i believe should only allow numbers, therefore not allowing SQL injection to be done, however the problem is still arising.

I wondered if anyone could help with this.

Thanks

You haven't provided any code or even mentioned what language it's written in.

response.write("<tr><td colspan='2'><input type='hidden' name='what' value='"&Server.HTMLEncode(Clng(1))&"'>" &vbcrlf)

It is that 'what' value that is causing the problem when it is submitted as it says it can insert sql injection but I dont know how it can.

The page is coded in asp.

The question is, what does the receiving form do with "what" parameter? What is the target of <form action=???> , and what does this script do with "what"?

The question is, what does the receiving form do with "what" parameter? What is the target of <form action=???> , and what does this script do with "what"?
The form action is the same page that the form is currently on. It loads that page, and if the parameter "what" = 1 then it will run our form validation.

The default value is 1, so it will always load the page and do form validation when the form is submitted

I think the "what" is pretty safe then.
It is only an internal state machine, as long as you don't send it into SQL query, it can't be an injection.