Every time we hit a new error in ASP work, add the rule here so Claude never hits it again. Currently tracking 55 rules.
Paste directly from an error message or Claude's fix explanation. Only Category and Title are required — fill in what you have.
Click Edit on any row to load it into the form above. Deleting soft-archives the rule (IsActive=0) — not gone forever, but hidden from GetCodingRules.asp.
| # | Title | Sev | Tags | Active | |
|---|---|---|---|---|---|
| 8.1 | Request.Cookies — coerce with & "" and always validate | critical | cookie,auth,security | on | |
| 8.2 | Admin pages start with an explicit Session("account_id") check that 302s on fail | critical | auth, session, admin, security, redirect | on |
| # | Title | Sev | Tags | Active | |
|---|---|---|---|---|---|
| 3.1 | MARS deadlock — one open recordset per connection | critical | database,mars,recordset,sqlserver | on | |
| 3.2 | Always close recordsets and null the reference | warning | database,recordset,cleanup | on | |
| 3.3 | Always SQL-escape user values before building SQL | critical | database,security,sql-injection | on | |
| 3.4 | Clamp form input lengths to column width before SQL | warning | database,validation,input | on | |
| 3.5 | Migrations must be idempotent | warning | database,migration,idempotent | on | |
| 3.6 | Admin check on BN_Members is MemberRole='admin', NOT a boolean IsAdmin column | critical | database,schema,admin,members,bn_members | on | |
| 3.7 | Never SELECT NVARCHAR(MAX) columns alongside short fields you actually need to read | critical | database, ado, nvarchar, max, cursor, sqloledb | on | |
| 3.8 | Single-field edits need a surgical UPDATE action — never reuse the bulk update path | warning | database, update, partial, ux, api | on | |
| 3.9 | Auto-create-on-first-hit table patterns fail silently — always verify with a SELECT | warning | database, ddl, permissions, migration, logging | on | |
| 3.10 | Wrap every conn.Execute in On Error Resume Next + JSON error reply | critical | sql, error-handling, ajax, json, 500, oledb | on | |
| 3.11 | Grep the codebase for table/column names before writing a new query | critical | sql, schema, joins, oledb, 80040e14 | on | |
| 3.12 | Every transactional SendGrid email must write a row to EmailsLog | best-practice | email, sendgrid, logging, audit, emailslog | on | |
| 3.13 | Per-show activity goes in teamadmin_history; one row per show on the invoice | best-practice | history, audit, activity, shows, invoice, log | on |
| # | Title | Sev | Tags | Active | |
|---|---|---|---|---|---|
| 9.1 | Master defensive pattern — never let data crash the page | critical | error-handling,defensive | on | |
| 9.2 | CDO.Message — set HTMLBody before touching HTMLBodyPart.Charset | critical | cdo, email, smtp, charset, order | on | |
| 9.3 | Call Response.Clear before writing JSON error output | warning | response, buffer, json, error, api | on | |
| 9.4 | Keep On Error Resume Next scope tight — never re-enable strict errors mid-Sub | warning | error, oern, on-error, scope, vbscript | on |
| # | Title | Sev | Tags | Active | |
|---|---|---|---|---|---|
| 4.1 | Define helper Functions at the TOP of the ASP file | warning | file-organization,hoisting | on | |
| 4.2 | Never use <!--#include--> inside a conditional | warning | file-organization,include | on | |
| 4.3 | Use #include virtual="/path" for shared config — never duplicate Const declarations | critical | include, const, virtual, file, organization | on | |
| 4.4 | Always verify FTP/Dreamweaver upload actually replaced the server file | warning | deployment, ftp, dreamweaver, file, sync | on | |
| 4.5 | Every ASP file starts with the UTF-8 + CodePage block | warning | asp, encoding, utf-8, charset, codepage | on | |
| 4.6 | Gate new-table reads behind an On Error check that points at the migration file | best-practice | asp, migration, error-handling, schema, deploy | on |
| # | Title | Sev | Tags | Active | |
|---|---|---|---|---|---|
| 7.1 | Always HTMLEncode user-provided values | critical | html,xss,escape | on | |
| 7.2 | Use a separate attribute-safe escape for HTML attributes | warning | html,escape,attribute | on | |
| 7.3 | JS-safe inline needs a JSReady helper | warning | html,javascript,escape | on | |
| 7.4 | Inline form values must be HTMLEncoded — including value="" attributes | warning | html, encoding, attribute, xss, forms | on | |
| 7.5 | Don't scope base text/background rules to #editor only | critical | css, cms, page-builder, editor, scope, embed | on | |
| 7.6 | Default state of every element must be visible (no JS-dependent reveals) | critical | css, animation, opacity, reveal, javascript, cms | on | |
| 7.7 | Override the CMS .widget-container background, not just the inner form fields | warning | css, cms, widget, form, override, important | on | |
| 7.8 | Never paste the page-wrapper + fonts <link> block more than once | warning | html, cms, nesting, duplication, wrapper | on | |
| 7.9 | Don't rely solely on a Font Awesome kit URL — add a public CDN fallback | warning | fontawesome, icons, cdn, kit, domain-lock | on |
| # | Title | Sev | Tags | Active | |
|---|---|---|---|---|---|
| 6.1 | Use ===SECTION=== delimiters, not nested JSON-in-string | critical | ai,llm,parsing,gemini | on | |
| 6.2 | Set maxOutputTokens generously (8192+) | warning | ai,llm,tokens,gemini | on | |
| 6.3 | In the system prompt, say "no JSON, no markdown, no preamble" | warning | ai,llm,prompting | on | |
| 6.4 | For JSON output from Gemini, set responseMimeType:"application/json" — do not just hope | warning | llm, gemini, json, responsemimetype, parse | on |
| # | Title | Sev | Tags | Active | |
|---|---|---|---|---|---|
| 2.1 | Null & "" = Null (not "") | critical | null,vbscript,string | on | |
| 2.2 | Always coerce recordset field reads with & "" | critical | null,recordset,database | on | |
| 2.3 | Mid/Left/InStr on non-string Variants throws Type mismatch | critical | null,vbscript,string,dictionary | on | |
| 2.4 | CDate can throw Type mismatch even when IsDate is True | critical | date,cdate,vbscript | on | |
| 2.5 | Read migration-added columns defensively | warning | migration,schema,defensive | on | |
| 2.6 | Always wrap recordset values with HE() or HA() before output | critical | vbscript, null, htmlencode, xss, helpers | on |
| # | Title | Sev | Tags | Active | |
|---|---|---|---|---|---|
| 5.1 | Coerce every form value with & "" before using | warning | input,form,coerce | on | |
| 5.2 | Validate numeric input with IsNumeric before casting | critical | input,validation,numeric | on | |
| 5.3 | Multi-valued checkboxes join with ", " automatically | best-practice | input,form,checkbox | on | |
| 5.4 | Escape every Request value before concatenating into SQL | critical | sql-injection, security, escape, apostrophe, request-form | on |
| # | Title | Sev | Tags | Active | |
|---|---|---|---|---|---|
| 1.1 | Identifiers cannot start with an underscore | critical | vbscript,syntax,naming | on | |
| 1.2 | Single-line If/Then cannot be chained with ElseIf | critical | vbscript,syntax,control-flow | on | |
| 1.3 | Functions return by assigning to the function name | critical | vbscript,syntax,function | on | |
| 1.4 | VBScript has no native IIf — define your own | critical | vbscript,syntax,iif | on | |
| 1.5 | Never Dim the same variable twice in one Sub/Function | critical | vbscript, syntax, dim, scope, compile | on | |
| 1.6 | Use CDbl/CCur for large numbers — CLng overflows at ~2.1 billion | critical | vbscript, syntax, clng, overflow, casting, numeric | on | |
| 1.7 | Don't colon-pack If/Else across a function body | critical | vbscript, syntax, function, colons, parser | on |