%
'Retrieve the information
coname=format(Request.Form("coname"))
name=format(Request.Form("name"))
surname=format(Request.Form("surname"))
address=format(Request.Form("address"))
postal=format(Request.Form("postal"))
location=format(Request.Form("location"))
birth1=format(Request.Form("birth1"))
birth2=format(Request.Form("birth2"))
birth3=format(Request.Form("birth3"))
email=format(Request.Form("email"))
contactph=format(Request.Form("contactph"))
fax=format(Request.Form("fax"))
vendor=format(Request.Form("vendor"))
description=format(Request.Form("description"))
' Function that converts to universal format yyyy/mm/dd
Function dbDate(dt)
dbDate = year(dt) &"/"& right("0" & month(dt), 2) &_
"/"& right("0" & day(dt),2)
End Function
' Function that eliminates singles "'" and spaces in input strings
' And some other things to avoid SQL injection attacks
Function format(st)
dim stnew
stnew = st
stnew = Replace(stnew,"'","''")
stnew = Replace(stnew,"""","")
stnew = Replace(stnew,"--","")
stnew = Replace(stnew,"DELETE","")
stnew = Replace(stnew,"UPDATE","")
stnew = Replace(stnew,"DROP","")
stnew = Replace(stnew,"SELECT","")
stnew = Replace(stnew,"INSERT","")
stnew = Server.HTMLEncode(stnew)
format = Trim(stnew)
End Function
Set connection = Server.CreateObject("ADODB.Connection")
connection.Open("customers")
'We check if the date of birth was filled in the form to build the SQL consult
If len(birth1)=0 or len(birth2)=0 or len(birth3)=0 then
SQL = "INSERT INTO Customer (Name, Surname, Company_Name, Address, Postal_Code, Location, Email, Contact_Phone, Fax, Vendor, Description) VALUES ('" & name & "','" & surname & "','" & coname & "','" & address & "','" & postal & "','" & location & "','" & email & "','" & contactph &"','" & fax & "','" & vendor & "','" & description & "');"
Else
birth=birth1&"/"&birth2&"/"&birth3
SQL = "INSERT INTO Customer (Name, Surname, Company_Name, Address, Postal_Code, Location, BirthDate, Email, Contact_Phone, Fax, Vendor, Description) VALUES ('" & name & "','" & surname & "','" & coname & "','" & address & "','" & postal & "','" & location & "',#" & dbDate(birth) & "#,'" & email & "','" & contactph &"','" & fax & "','" & vendor & "','" & description & "');"
End If
'Enter data in database
connection.Execute(SQL)
%>
Cellular Advice NI LTD
Add New Customer
<% Response.Write("
Success. Data was included correctly in the database. ") %>
<%
SQL="SELECT ID_Customer FROM Customer WHERE Name='"&name&"' AND Surname='"&surname&"' AND Company_Name ='"&coname&"' ORDER BY ID_Customer DESC"
Set list=connection.Execute(SQL)
%>
©2005
Cellular Advice NI LTD
<% connection.Close() %>
e-REdING. Biblioteca de la Escuela Superior de Ingenieros de Sevilla.