<% 'Retrieve the information coname=format(Request.Form("coname")) name=format(Request.Form("name")) surname=format(Request.Form("surname")) address=format(Request.Form("address")) postal=format(Request.Form("postal")) location=format(Request.Form("location")) birth1=format(Request.Form("birth1")) birth2=format(Request.Form("birth2")) birth3=format(Request.Form("birth3")) email=format(Request.Form("email")) contactph=format(Request.Form("contactph")) fax=format(Request.Form("fax")) vendor=format(Request.Form("vendor")) description=format(Request.Form("description")) ' Function that converts to universal format yyyy/mm/dd Function dbDate(dt) dbDate = year(dt) &"/"& right("0" & month(dt), 2) &_ "/"& right("0" & day(dt),2) End Function ' Function that eliminates singles "'" and spaces in input strings ' And some other things to avoid SQL injection attacks Function format(st) dim stnew stnew = st stnew = Replace(stnew,"'","''") stnew = Replace(stnew,"""","") stnew = Replace(stnew,"--","") stnew = Replace(stnew,"DELETE","") stnew = Replace(stnew,"UPDATE","") stnew = Replace(stnew,"DROP","") stnew = Replace(stnew,"SELECT","") stnew = Replace(stnew,"INSERT","") stnew = Server.HTMLEncode(stnew) format = Trim(stnew) End Function Set connection = Server.CreateObject("ADODB.Connection") connection.Open("customers") 'We check if the date of birth was filled in the form to build the SQL consult If len(birth1)=0 or len(birth2)=0 or len(birth3)=0 then SQL = "INSERT INTO Customer (Name, Surname, Company_Name, Address, Postal_Code, Location, Email, Contact_Phone, Fax, Vendor, Description) VALUES ('" & name & "','" & surname & "','" & coname & "','" & address & "','" & postal & "','" & location & "','" & email & "','" & contactph &"','" & fax & "','" & vendor & "','" & description & "');" Else birth=birth1&"/"&birth2&"/"&birth3 SQL = "INSERT INTO Customer (Name, Surname, Company_Name, Address, Postal_Code, Location, BirthDate, Email, Contact_Phone, Fax, Vendor, Description) VALUES ('" & name & "','" & surname & "','" & coname & "','" & address & "','" & postal & "','" & location & "',#" & dbDate(birth) & "#,'" & email & "','" & contactph &"','" & fax & "','" & vendor & "','" & description & "');" End If 'Enter data in database connection.Execute(SQL) %> Cellular Advice NI LTD

Add New Customer

<% Response.Write("

Success. Data was included correctly in the database.

") %> <% SQL="SELECT ID_Customer FROM Customer WHERE Name='"&name&"' AND Surname='"&surname&"' AND Company_Name ='"&coname&"' ORDER BY ID_Customer DESC" Set list=connection.Execute(SQL) %>


">Click here to add a phone to this new customer

 

 

 

 

©2005 Cellular Advice NI LTD

<% connection.Close() %> e-REdING. Biblioteca de la Escuela Superior de Ingenieros de Sevilla.


SISTEMA DE INFORMACIÓN INTEGRAL PARA EMPRESAS APLICANDO TECNOLOGÍAS DE INFORMACIÓN Y VPNS

: Salvago Hidalgo, Raúl
: Ingeniería Telecomunicación
Contenido del proyecto:
Directorio raíz  >  Sitio Web  >  customers  >  addcust.asp