%
id=Request.Form("id")
phonenumber=format(Request.Form("phonenumber"))
network=format(Request.Form("network"))
ntype=format(Request.Form("ntype"))
imei=format(Request.Form("imei"))
sim=format(Request.Form("sim"))
contract1=format(Request.Form("contract1"))
contract2=format(Request.Form("contract2"))
contract3=format(Request.Form("contract3"))
tariff=format(Request.Form("tariff"))
password=format(Request.Form("password"))
model1=format(Request.Form("model1"))
model2=format(Request.Form("model2"))
bankname=format(Request.Form("bankname"))
bankaccount=format(Request.Form("bankaccount"))
sortcode=format(Request.Form("sortcode"))
cps=format(Request.Form("cps"))
upg=format(Request.Form("upg"))
profit=format(Request.Form("profit"))
commission=format(Request.Form("commission"))
'We create the full model number
model= trim(model1&" "&model2)
' If profit or commission is not written, its value is 0
If profit="" then
profit=0
End if
If commission="" then
commission=0
End if
Set connection = Server.CreateObject("ADODB.Connection")
connection.Open("customers")
' Function that converts a date to universal format yyyy/mm/dd
Function dbDate(dt)
dbDate = year(dt) &"/"& right("0" & month(dt), 2) &_
"/"& right("0" & day(dt),2)
End Function
' Function that eliminates singles "'" and spaces in input strings
' And some other things to avoid SQL injection attacks
Function format(st)
dim stnew
stnew = st
stnew = Replace(stnew,"'","''")
stnew = Replace(stnew,"""","")
stnew = Replace(stnew,"--","")
stnew = Replace(stnew,"DELETE","")
stnew = Replace(stnew,"UPDATE","")
stnew = Replace(stnew,"DROP","")
stnew = Replace(stnew,"SELECT","")
stnew = Replace(stnew,"INSERT","")
stnew = Server.HTMLEncode(stnew)
format = Trim(stnew)
End Function
contract=contract1&"/"&contract2&"/"&contract3
' First we have to check that the phone number is not already in the database
SQL="SELECT * FROM Phone WHERE Phone_Number like '"&phonenumber&"';"
Set list=connection.Execute(SQL)
If list.EOF then
SQL = "INSERT INTO Phone (Phone_Number, Network, Type, IMEI, SIM, Contract_Date, Password, Tariff, Model, CPS, Upg_Ref, Profit, Commission, Bank_Name, Account_Number, Sort_Code, ID_Customer) VALUES ('"& phonenumber &"','" & network & "','" & ntype &"','"& imei & "','" & sim & "',#"& dbDate(contract) &"#,'"& password &"','"& tariff &"','"& model &"','"&cps&"','"&upg&"','"&cdbl(profit)&"','"&cdbl(commision)&"','"&bankname&"','"& bankaccount &"','"& sortcode &"','"& id &"');"
connection.Execute(SQL)
Else ' The phone number is duplicated
Response.Redirect("../phones/dupphone.asp")
End If
%>
Success. Data was included correctly in the database.
")
SQL="SELECT Phone_Number FROM Phone WHERE ID_Customer like '"&id&"';"
Set list=connection.Execute(SQL)
' Number of phones of a customer
dim counter
counter=0
While NOT list.EOF
counter=counter+1
list.movenext()
Wend
%>