I having issue of cross-site scripting and sql injection which show like below:

Cross-site scripting
Issue detail

The value of the t request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fe18a"><script>alert(1)</script>f999db65582 was submitted in the t parameter. This input was echoed unmodified in the application's response

The script that I have is as followed:

If Len(t) = 0 Then t = "CM"

The question is in order to encode above line

If Len(Server.HTMLEncode(t)) = 0 Then
t = "CM" OR

If Len(t) = 0 Then Replace(Server.HTMLEncode(t)) = "CM"

Which line is the right way to corret for Cross-site scripting.

2. SQL Injection

The t parameter appears to be vulnerable to SQL injection attacks. The payloads (select%201) and (select%201%2c2) were each submitted in the t parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

A difference arising from these two subqueries often indicates that user input is being incorporated into an "order by" clause, although other explanations may apply.

I have the following sql in my asp classic with parameter "t":

rs.Open "SELECT * FROM Nomination where type = '" & t & "' and Serial_No is not null", conn, 1, 3

How shall I correct above line to remove the "Sql Injection"

Please, can anyone give me any advice or any idea for these.

Thanks in advanced.