After doing a penetration test for a client, I discovered that the site was vulnerable to code injection. I was able to run scripts (vbscript, jscript, asp) in the context of the server. After recoding the filtering mechanisms to look for characters like ' " ; < > ( ), everything seemed fine except for one thing. A certain sequence of characters repeated a certain number of times produces an SQL error message. This isn't good, It plainly shows that the site is still vulnerable. I'm at a complete loss to explain it. I know their is syntax differences between SQL and Microsofts Jet Database implementations in regards to XSS and code injection, but I can't find any resources on this anywhere. So if anyone knows anything about this, please let me know. Thanks...