eyedol/gist:1263947

## gistfile1.asp
<%
dim Conn
dim rs
dim rs2
dim cn
dim str
dim msg
dim from
dim message
dim stmt


' Connection Strings
cnProvider = "Provider=Microsoft.JET.OLEDB.4.0;"
cnDataSource = "Data Source =" & _
Server.MapPath ("database.mdb") & ";"

Conn = cnProvider & cnDataSource

set db = Server.CreateObject("Adodb.Connection")
db.Open Conn


' GET POST/GET Variables
from = sReplace(request("from"))
message = sReplace(request("message"))

stmt = "SELECT * FROM recieved WHERE (phone_no = '" & from & "' AND text = '" & message & "') "
set query = db.execute(stmt)

' Record doesn't already exist
if query.eof then
	db.execute("INSERT INTO received (phone_no, text) VALUES ('" & from & "', '" & message & "') ")
	response.write "{payload: {success: 'true'}}"
else
	response.write "{payload: {success: 'false'}}"
end if

Set db = nothing


' Function to prevent SQL Injection
Function sReplace(str)
	str = replace(str,"'", "''")
	str = replace(str,"--", "-")

	'Replace SQL Functions
	str = replace(str, "/script", "")
	str = replace(str, "insert into", "")
	str = replace(str, "delete from", "")
	str = replace(str, "drop table", "")
	str = replace(str, "exec(", "")
	str = replace(str, "cast(", "")
	str = replace(str, "varchar", "")
	str = replace(str, "nvarchar", "")
	str = replace(str, "sp_", "")
	str = replace(str, "xp_", "")
	str = replace(str, "@@", "")

	str = trim(str)
	sReplace = str
End Function
%>
	<%
	dim Conn
	dim rs
	dim rs2
	dim cn
	dim str
	dim msg
	dim from
	dim message
	dim stmt



	' Connection Strings
	cnProvider = "Provider=Microsoft.JET.OLEDB.4.0;"
	cnDataSource = "Data Source =" & _
	Server.MapPath ("database.mdb") & ";"

	Conn = cnProvider & cnDataSource

	set db = Server.CreateObject("Adodb.Connection")
	db.Open Conn




	' GET POST/GET Variables
	from = sReplace(request("from"))
	message = sReplace(request("message"))

	stmt = "SELECT * FROM recieved WHERE (phone_no = '" & from & "' AND text = '" & message & "') "
	set query = db.execute(stmt)

	' Record doesn't already exist
	if query.eof then
	db.execute("INSERT INTO received (phone_no, text) VALUES ('" & from & "', '" & message & "') ")
	response.write "{payload: {success: 'true'}}"
	else
	response.write "{payload: {success: 'false'}}"
	end if

	Set db = nothing




	' Function to prevent SQL Injection
	Function sReplace(str)
	str = replace(str,"'", "''")
	str = replace(str,"--", "-")

	'Replace SQL Functions
	str = replace(str, "/script", "")
	str = replace(str, "insert into", "")
	str = replace(str, "delete from", "")
	str = replace(str, "drop table", "")
	str = replace(str, "exec(", "")
	str = replace(str, "cast(", "")
	str = replace(str, "varchar", "")
	str = replace(str, "nvarchar", "")
	str = replace(str, "sp_", "")
	str = replace(str, "xp_", "")
	str = replace(str, "@@", "")

	str = trim(str)
	sReplace = str
	End Function
	%>