May someone please provide me with the full code of a vulnerable SQL Injection script?
Thanks,
-Arnack

Sounds like you're asking how to write a script like this. ;) Just kidding. Here (http://www.sitepoint.com/article/sql-injection-attacks-safe) is an excellent article on how it can happen and some of the things you can do to prevent it.

There are plenty of guides on doing it that get away with being there just on the grounds that a good programmer should be able to review all the attacks in it and make sure they prevent against them.

The best way to prevent sql injection is always to use bound parameters.
you can Execute a stored procedure as a native method of a Connection object (http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ado270/htm/mdobjconnection.asp)

I can't remember if its possible to use bound paramaters in ado though (especially if its possible in asp) but it would generally be done by having an sql line something along the lines of "SELECT name FROM table WHERE age = ?" and then when you execute the query you give it some raw data to work with (as it goes past the sql parser it would, for example, actually look for someone with an age of " or 1=1" and complain that this was a character type not a numeric type) the ? may be something different in ado as i can't find any materials on msdn or the web about it (hence why I don't know if its possible although ADODB.Command looks promising) .net i believe uses sqlservers @somevariabblename convention so it may be something like that im not sure.

If bound parameters are not available you will be able to defeat most attacks by using IsNumeric() on numeric types and Replace(strCharacterData, "'", "''") on things which should be wrapped in 's. This is not foolproof but will stop 99% of injection attacks by amateur hackers. If you do this you should be able to forget about people using -- or ; etc as if they use it in a numeric type it will come out false so you can stop processing and if they use it in a character type it will simply be part of the string. binary data should be RegExd to confirm that it only contains 0-9a-fA-f (maybe also an x if you are ever going to submit it as 0xFF for example) but you are unlikely to provide hex binary on a web form anyway (although i have done on occasion which is why im mentioning it here.) dates should be treated as character types as they are wrapped in 's .. as far as i know this only leaves unicode attacks out (characters that sql server can treat as a ' but arent infact single quotes) maybe someone else can say how to defend against them.

Just try and use bound parameters if you can :D