eyedol · October 5, 2011 08:43
diff --git a/gistfile1.asp b/gistfile1.asp
 <%
 dim Conn
 dim rs
 dim rs2
 dim cn
 dim str
 dim msg
 dim from
 dim message
 dim stmt



 ' Connection Strings
 cnProvider = "Provider=Microsoft.JET.OLEDB.4.0;"
 cnDataSource = "Data Source =" & _
 Server.MapPath ("database.mdb") & ";"

 Conn = cnProvider & cnDataSource

 set db = Server.CreateObject("Adodb.Connection")
 db.Open Conn




 ' GET POST/GET Variables
 from = sReplace(request("from"))
 message = sReplace(request("message"))

 stmt = "SELECT * FROM recieved WHERE (phone_no = '" & from & "' AND text = '" & message & "') "
 set query = db.execute(stmt)

 ' Record doesn't already exist
 if query.eof then
 	db.execute("INSERT INTO received (phone_no, text) VALUES ('" & from & "', '" & message & "') ")
 	response.write "{payload: {success: 'true'}}"
 else
 	response.write "{payload: {success: 'false'}}"
 end if

 Set db = nothing




 ' Function to prevent SQL Injection
 Function sReplace(str)
 	str = replace(str,"'", "''")
 	str = replace(str,"--", "-")
 	
 	'Replace SQL Functions
 	str = replace(str, "/script", "")
 	str = replace(str, "insert into", "")
 	str = replace(str, "delete from", "")
 	str = replace(str, "drop table", "")
 	str = replace(str, "exec(", "")
 	str = replace(str, "cast(", "")
 	str = replace(str, "varchar", "")
 	str = replace(str, "nvarchar", "")
 	str = replace(str, "sp_", "")
 	str = replace(str, "xp_", "")
 	str = replace(str, "@@", "")
 	
 	str = trim(str)
 	sReplace = str
 End Function
 %>
	<%
	dim Conn
	dim rs
	dim rs2
	dim cn
	dim str
	dim msg
	dim from
	dim message
	dim stmt



	' Connection Strings
	cnProvider = "Provider=Microsoft.JET.OLEDB.4.0;"
	cnDataSource = "Data Source =" & _
	Server.MapPath ("database.mdb") & ";"

	Conn = cnProvider & cnDataSource

	set db = Server.CreateObject("Adodb.Connection")
	db.Open Conn




	' GET POST/GET Variables
	from = sReplace(request("from"))
	message = sReplace(request("message"))

	stmt = "SELECT * FROM recieved WHERE (phone_no = '" & from & "' AND text = '" & message & "') "
	set query = db.execute(stmt)

	' Record doesn't already exist
	if query.eof then
	db.execute("INSERT INTO received (phone_no, text) VALUES ('" & from & "', '" & message & "') ")
	response.write "{payload: {success: 'true'}}"
	else
	response.write "{payload: {success: 'false'}}"
	end if

	Set db = nothing




	' Function to prevent SQL Injection
	Function sReplace(str)
	str = replace(str,"'", "''")
	str = replace(str,"--", "-")

	'Replace SQL Functions
	str = replace(str, "/script", "")
	str = replace(str, "insert into", "")
	str = replace(str, "delete from", "")
	str = replace(str, "drop table", "")
	str = replace(str, "exec(", "")
	str = replace(str, "cast(", "")
	str = replace(str, "varchar", "")
	str = replace(str, "nvarchar", "")
	str = replace(str, "sp_", "")
	str = replace(str, "xp_", "")
	str = replace(str, "@@", "")

	str = trim(str)
	sReplace = str
	End Function
	%>