<%
phonenumber=Request.Form("phonenumber")
minutes=format(Request.Form("minutes"))
messages=format(Request.Form("messages"))
date1=format(Request.Form("date1"))
date2=format(Request.Form("date2"))
date3=format(Request.Form("date3"))
' Function that converts to universal format yyyy/mm/dd
Function dbDate(dt)
dbDate = year(dt) &"/"& right("0" & month(dt), 2) &_
"/"& right("0" & day(dt),2)
End Function
' Function that eliminates singles "'" and spaces in input strings
' And some other things to avoid SQL injection attacks
Function format(st)
dim stnew
stnew = st
stnew = Replace(stnew,"'","''")
stnew = Replace(stnew,"""","")
stnew = Replace(stnew,"--","")
stnew = Replace(stnew,"DELETE","")
stnew = Replace(stnew,"UPDATE","")
stnew = Replace(stnew,"DROP","")
stnew = Replace(stnew,"SELECT","")
stnew = Replace(stnew,"INSERT","")
stnew = Server.HTMLEncode(stnew)
format = Trim(stnew)
End Function
Set connection = Server.CreateObject("ADODB.Connection")
connection.Open("customers")
udate=date1&"/"&date2&"/"&date3
SQL="INSERT INTO Usage (Usage_Date, Minutes, Messages,Phone_Number) VALUES (#"&dbDate(udate)&"#,'"&minutes&"','"&messages&"','"&phonenumber&"');"
connection.Execute(SQL)
%>
Cellular Advice NI LTD
