Details of sold products:
Model |
IMEI |
Date Out |
Price |
Supplier |
"&list.Fields("Model")&" | "&list.Fields("IMEI")&" | "&list.Fields("Date_out")&" | "&list.Fields("Price")&" £ | "&list.Fields("Supplier")&" |
% model=format(Request.QueryString("model")) ' Function that eliminates singles "'" and spaces in input strings ' And some other things to avoid SQL injection attacks Function format(st) dim stnew stnew = st stnew = Replace(stnew,"'","''") stnew = Replace(stnew,"""","") stnew = Replace(stnew,"--","") stnew = Replace(stnew,"DELETE","") stnew = Replace(stnew,"UPDATE","") stnew = Replace(stnew,"DROP","") stnew = Replace(stnew,"SELECT","") stnew = Replace(stnew,"INSERT","") stnew = Server.HTMLEncode(stnew) format = Trim(stnew) End Function Set connection = Server.CreateObject("ADODB.Connection") connection.Open("stock") SQL="SELECT * FROM Product WHERE Model = '"&model&"' AND Date_out IS NOT NULL ORDER BY Date_in" Set list=connection.Execute(SQL) %>
Model |
IMEI |
Date Out |
Price |
Supplier |
"&list.Fields("Model")&" | "&list.Fields("IMEI")&" | "&list.Fields("Date_out")&" | "&list.Fields("Price")&" £ | "&list.Fields("Supplier")&" |