Good way to sanitize input in classic asp

Yes you can use parametrized queries in classic ASP (more accurately, classic ADO).

Here is a link.

As for encoding output, I might be tempted to create a wrapper for the latest Microsoft Anti-XSS library and call it with Server.CreateObject. I am far from an expert on this kind of thing as I spend much more time in .Net, so I only think this would work.

Server.HTMLEncode is really not good enough, as it only blacklists a few encoding characters. The Anti-XSS library is much better as it whitelists what is acceptable.

Always use Server.HTMLEncode to sanitize user input.

For example, if you're setting a variable from a form text box:

firstName = Server.HTMLEncode(trim(request.form("firstname")))

Watch out for SQL injection. Do not concatenate user input to a SQL string and then execute it. Instead, always used parameterized queries.