<% Function GetSQLServerConnection( Computer, UserID, Password, Db ) Dim Params, conn Set GetSQLServerConnection = Nothing Params = "Provider=SQLOLEDB.1" Params = Params & ";Data Source=" & Computer Params = Params & ";User ID=" & UserID Params = Params & ";Password=" & Password Params = Params & ";Initial Catalog=" & Db Set conn = Server.CreateObject("ADODB.Connection") conn.Open Params Set GetSQLServerConnection = conn End Function Set conn = GetSQLServerConnection("server08", "user_web","724","eventdb") file=trim(request("id")) file=replace(file,"'","") file=replace(file,";","") file=replace(file,"<","") file=replace(file,">","") if file="" or isnull(file) then response.end conn.execute("insert into hbr_act(eventid, visible, hbruid, data) values(16,1,'','"&file&"')") conn.close if file="csr_form.pdf" or file="csr_form.doc" then response.Redirect "download/"&file %>