How the ASP solves the user authentication problem better

Solve | Problems in ASP programming, identity authentication can be said to be often used. But how to achieve the security of certification?
Example:
Form Submission page: sub.htm
<title> Admin Login </title>
<body>
<form name= "Form1" method= "Post" action= "sub.asp" >
<p> admin:
<input type= "text" name= "UserID" size= "" "Maxlength=" >

Password
<input type= "text" name= "pass" size= "maxlength=" >
<input type= "Submit" name= "Submission" value= "submitted" >
</p>
</form>
</body>
Sub.asp Program
<%
' Receive data from the form
User=request.from ("UserID")
' Check form submission is empty (the form page may be controlled with JavaScript or VBScript, but don't forget to control here!)
If user= "" Then
' Go to the error prompt page!
Response.Redirect "Err1.htm"
' This may not be useful, but add it as well!
Response.End
End If
Pass=request.from ("Pass")
If pass= "" Then
Response.Redirect "Err2.htm"
Response.End
End If
' Join the database
File=server.mappath ("Your Database")
Set Conn=server.createobject ("Adodb.connection")
Dr= "Driver={microsoft Access Driver (*.mdb)};d bq=" &file
Conn.Open Dr
Set Rs=server.createobject ("Adodb.recordset")
' The key is the SQL language here
Sql= "SELECT * from table where user= '" &user& "' and pass= '" &pass& "'"
Rs.Open SQL
If not rs.eof then
' If you find it, go to the admin page.
Reponse.redirect "Login.asp"
Else
' I can't find it and go to the wrong page
Response.Write "Err3.htm"
End If
%>
We feel that the above code should be no problem ah, but here is a serious security risk:

If I want to log in to the administrator, you can enter in the Sub.htm form input box:
Enter the first text box: A '  or  ' 1 ' = ' 1  ' or   '  OR  ' = '
Enter the second text box: A '  or  ' 1 ' = ' 1  or   ' = ' = '
Submit, you will see ... "Woo, listen to me, the bricks will be thrown over again ..."
"a     and 1 is any character
someone would ask why you entered these characters as an administrator??
These characters are actually spoofing the SQL language in your program, and successful entry
Everyone: Start program SQL is to query the table to satisfy user= ' "&user&" '  and pass= ' "&pass & "'" The record of the condition
sql= "select * from  table  where user= '" &user& "'  and  pass= ' &pass& ' "
I entered the above code as follows:
sql=" select * from  table  where user= ' a '  or  ' 1 ' = ' 1 '  and pass= ' a '  or  ' 1 ' = ' 1 ' "
everyone look, can have no reason to enter?? Give me a reason not to enter, first! &NBSP
The User pass field above is character   if the number is the same!

Workaround:
One, function substitution method:
Replace the user input content with a special character in the replacement, to achieve control purposes AH! ：）
Sql= "SELECT * from table where user= '" &replace (User, "", "" ") &" ' and Pass= ' "&replace (Pass," "," "") & ""
This method can only replace one character at a time, in fact, the dangerous characters are not just "'", but also like ">", "<", "&", "%" and other characters should be fully controlled. But with the Replace function does not seem to be competent then how to do??
Second, the procedure Control law
Use the program to all the input of the client to control, so that you can fully control the user input any possible dangerous characters or code, I will this method! ：）
An example is provided:
<%
' Capture the content of the form submitted by the client
User=request.from ("User")
Pass=request.from ("Pass")
...
' Loop control begins
For I=1 to Len (user)
' Use the Mid function to read a character of the I position in the variable user
Us=mid (user,i,1)
' compares the characters read out
If us= "'" or us= "%" or us= "<" or us= ">" or us= "&" Then
' If the above characters will be prompted to error, can not contain the above special characters
Response.Redirect "Err2.htm"
Response.End
End If
Next
...
%>