Some of the SQL in search.asp needs running thorugh the ChkString
line 125
if cnt < keycnt then strSql = strSql & Request.Form("andor")
change to
if cnt < keycnt then strSql = strSql & ChkString(Request.Form("andor"), "SQLString")
line 142
if cnt < keycnt then strSql = strSql & Request.Form("andor")
change to
if cnt < keycnt then strSql = strSql & ChkString(Request.Form("andor"), "SQLString")
line 158
strSql = strSql & " AND " & strTablePrefix & "FORUM.FORUM_ID = " & Request.Form("Forum") & " "
change to
strSql = strSql & " AND " & strTablePrefix & "FORUM.FORUM_ID = " & ChkString(Request.Form("Forum"), "SQLString") & " "
lines 165-166
strSql = strSql & " AND (" & strMemberTablePrefix & "MEMBERS.MEMBER_ID = " & Request.Form("SearchMember") & " "
strSql = strSql & " OR " & strActivePrefix & "REPLY.R_AUTHOR = " & Request.Form("SearchMember") & ") "
change to
strSql = strSql & " AND (" & strMemberTablePrefix & "MEMBERS.MEMBER_ID = " & ChkString(Request.Form("SearchMember"), "SQLString") & " "
strSql = strSql & " OR " & strActivePrefix & "REPLY.R_AUTHOR = " & ChkString(Request.Form("SearchMember"), "SQLString") & ") "