<%
Response.AddHeader "Cache-Control","no-cache"
Function checkSQLinject(val)
Dim BlackList,s,lstr
lstr = LCase(val)
BlackList = Array("--", ";", "/*", "*/", "@@", "@",_
                  "char", "nchar", "varchar", "nvarchar",_
                  "alter", "begin", "cast", "create", "cursor",_
                  "declare", "delete", "drop", "end", "exec",_
                  "execute", "fetch", "insert", "kill", "open",_
                  "select", "sys", "sysobjects", "syscolumns",_
                  "table", "update")
				  
 For Each s in BlackList
 
    If ( InStr(lstr, s) <> 0 ) Then
      checkSQLinject = false
      Exit Function
    End If
 checkSQLinject =true
  Next
  
end Function
 
Function strfix(val)
strfix=htmlencode(Replace(Trim(val), "'", "''"))  
end Function

Function htmlencode(val)
htmlencode=Server.HtmlEncode(val)
end Function
'===================================================================================================

dim exec
dim strThemeid, intScore, intTotal,rating(4), isGet
strThemeid=strfix(Request("t"))
If(IsNumeric(strfix(Request("s")))) then 
intScore=CLng(strfix(Request("s")))
If(intScore>5) then intScore =5 
If(intScore<1) then intScore =1 
else
intScore=0
end if

If(not checkSQLinject(strThemeid))then strThemeid =""

Set conn = Server.CreateObject("ADODB.Connection")
conn.open "PROVIDER=SQLOLEDB;UID=msnemoticon;PWD=cyber911;DATABASE=Bates141_MSN"
Set rs = Server.CreateObject("ADODB.Recordset")

SQL = "select * from tbl_rating where intthemeid='"& strThemeid &"'"
rs.open SQL, conn
'will iterate to display the records got from the database
While Not rs.EOF	
	
	if(intScore>=1)then
	rating(0)=rs("intthemeid")
	rating(2)=CLng(rs("intvotes"))+1 												'Votes
	rating(1)=CInt((intscore+CLng(rs("inttotalscore")))/rating(2))  'Score
	rating(3)=CLng(rs("inttotalscore"))+intscore							'Total Score
	application(strThemeid)=rating
	SQL = "update tbl_rating set intscore="&rating(1)&", intvotes="&rating(2)&", inttotalscore="&rating(3)&" where intthemeid='"& rating(0) &"'"
	'SQL = "update tbl_rating set intscore="&"0"&", intvotes="&"0"&", inttotalscore="&"0"&" where intthemeid='"& rating(0) &"'"
	Set rsUpdate = Server.CreateObject("ADODB.Recordset")
	rsUpdate.open SQL, conn  

	Set rsUpdate = Nothing
	else
	rating(0)=rs("intthemeid")
	rating(2)=rs("intvotes")											'Votes
	rating(1)=rs("intscore") 'Score
	rating(3)=rs("inttotalscore")						'Total Score
	application(strThemeid)=rating
	end if
	
		
  rs.MoveNext
Wend

'closes the connection
rs.close
conn.close
Set rs = Nothing
Set conn = Nothing
if(IsArray(application(strThemeid)))then

%>t=<%=application(strThemeid)(0)%>&s=<%=application(strThemeid)(1)%>&v=<%=application(strThemeid)(2)%>
<%
end if
%>