Bob said:
They don't.
However, the fact that they are values being passed via parameter
means that they will be treated as values instead of pieces of
strings that need to be interpreted, so the inserted malicious code
will simply be inserted into the database table - the query engine
will make no attempt to interpret or execute the data.
Not sure if this went through the first time. Even if it did, I've revised
it to help make the distinction clearer:
<%
Response.Buffer=true
Sub WriteText(sometext, moretext)
response.write server.HTMLEncode(sometext) & "<BR>" & _
server.HTMLEncode(moretext)
End Sub
dim s1, s2
s1="try"
s2="this "":response.write ""<script type='text/javascript'>" & _
"alert('something bad')</script>"" '"
Response.Write "First, see the result of just calling the " & _
"sub, passing the text as argument values:<BR>"
WriteText s1,s2
Response.Write "<BR>See? No alert - text is simply written to page."
Response.Flush
dim i,t
t=now
do until datediff("s",t,now)>=4
loop
Response.Flush
Response.Write "<BR><BR>Now see the difference " & _
"using Execute()<BR><BR>"
Response.Flush
t=now
do until datediff("s",t,now)>=2
loop
dim stmt
stmt="WriteText """ & s1 & """, """ & s2 & """"
'Response.Write server.HTMLEncode(stmt) & "<BR><BR>"
Execute(stmt)
%>