How can i protect my SQL queries from crashing/returning errors when users try to input characters that arent alpha numeric?

What should I do with the variable STR before concaternating it into the SQL string?

I want to be protected from any types of input.

HTML page:

...
 <form action="search.asp" method="POST">
 <input type="text" name="searchstring" />
 <input type="submit" value="Search" />
 </form>
...

ASP page:

...
 STR = Request.Form("searchstring")
 SQL = "SELECT * FROM Database WHERE text='"&STR&"';"
 SET RecordSet = Connection.Execute(SQL)
...

First of all in your HTML use Maxlength to limit number of charcters users can type in the searchstring,

<input type="text" name="searchstring" maxlength="30"/>

use VBScript replace function to escape apostrophe (')

STR = Replace(Trim(Request.Form("searchstring")),"'","'' )

I would recommend you use stored procedure along with ASP command object..
that way you do not have to worry about escaping or sql injection attack..