%
id=format(Request.Form("textfield"))
If id="" then
id=Request.QueryString("id")
End If
' Function that eliminates singles "'" and spaces in input strings
' And some other things to avoid SQL injection attacks
Function format(st)
dim stnew
stnew = st
stnew = Replace(stnew,"'","''")
stnew = Replace(stnew,"""","")
stnew = Replace(stnew,"--","")
stnew = Replace(stnew,"DELETE","")
stnew = Replace(stnew,"UPDATE","")
stnew = Replace(stnew,"DROP","")
stnew = Replace(stnew,"SELECT","")
stnew = Replace(stnew,"INSERT","")
stnew = Server.HTMLEncode(stnew)
format = Trim(stnew)
End Function
Set connection = Server.CreateObject("ADODB.Connection")
connection.Open("customers")
SQL="SELECT * FROM Phone WHERE Phone_Number like '"& id &"';"
Set list=connection.Execute(SQL)
If list.EOF then Response.Redirect("./sphonenotfound.asp") End If
SQL="SELECT * FROM Customer WHERE ID_Customer like '"&list.Fields("ID_Customer")&"';"
Set list2=connection.Execute(SQL)
%>