<% 'Function IllegalChars to guard against SQL injection Function IllegalChars(sInput) 'Declare variables Dim sBadChars, iCounter 'Set IllegalChars to False IllegalChars=False 'Create an array of illegal characters and words sBadChars=array("select", "drop", ";", "--", "insert", "delete", "xp_", _ "#", "%", "&", "'", "(", ")", "/", "\", ":", ";", "<", ">", "=", "[", "]", "?", "`", "|") 'Loop through array sBadChars using our counter & UBound function For iCounter = 0 to uBound(sBadChars) 'Use Function Instr to check presence of illegal character in our variable If Instr(sInput,sBadChars(iCounter))>0 Then IllegalChars=True End If Next End function %> <% 'Declare variables Dim sUsername, sPassword 'retrieve our form textbox values and assign to variables if request.querystring("category_id")="" then dim rs16 set rs16 = server.CreateObject ("ADODB.Recordset") rs16.CursorLocation=3 sql="SELECT Max(category_id) AS category_id1 FROM category" rs16.Open sql, gallery_conn, 0, 1 if not (rs16.eof or rs16.bof) then z=1 category_id_d=rs16.Fields("category_id1") end if else category_id_d=request.querystring("category_id") end if 'Call the function IllegalChars to check for illegal characters If IllegalChars(category_id_d)=True Then Response.redirect("index.asp?flg=false") End If compare_id=category_id_d %> <% %>
Category List <%dim rs1 set rs1 = server.CreateObject ("ADODB.Recordset") rs1.CursorLocation=3 sql="SELECT * FROM category order by category_id" rs1.Open sql, gallery_conn, 2, 2 if not (rs1.eof or rs1.bof) then x=1 %> <%end if%> <% if x<>1 then%> No Events <%end if%>
<%dim rs2 set rs2 = server.CreateObject ("ADODB.Recordset") rs2.CursorLocation=3 sql="SELECT category_desc FROM category where category_id='" & category_id_d &"'" rs2.Open sql, gallery_conn, 2, 2 if not (rs2.eof or rs2.bof) then z=1 category_desc=rs2.Fields("category_desc") end if %> <% if z<>1 then%> <%end if%>

<%=category_desc%>

    <% dim rs5 set rs5 = server.CreateObject ("ADODB.Recordset") rs5.CursorLocation=3 sql="SELECT * FROM gallery_ph where ph_category='" & category_id_d &"'" rs5.Open sql, gallery_conn, 2, 2 if not (rs5.eof or rs5.bof) then y=1 %> <%do until rs5.eof 'response.write "ent" ph_title=rs5.Fields("ph_title") Ph_no=rs5.Fields("Ph_no") ph_desc=rs5.Fields("ph_desc") ph_category=rs5.fields("ph_category") %>
  • <% rs5.movenext loop %> <%end if%>
<% if x<>1 then%> No Images <%end if%>