Security fixes and schema cleanup

- Fix SQL injection in displayprofile.asp (parameterized query) - Add HTMLEncode to XSS-vulnerable output in 5 display pages - Add Option Explicit to computers.asp, displaymachines.asp, displaypcs.asp, displayapplication.asp, displayprofile.asp - Update STANDARDS.md with test script reference, secrets management, column naming gotchas - Fix equipment type ranges in CLAUDE.md and QUICK_REFERENCE.md (1-15, 21-25) - Add migration SQL to cleanup redundant PC machinetypes (34-46) 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2025-12-12 07:22:16 -05:00
parent 693789138d
commit e0d89f9957
9 changed files with 258 additions and 57 deletions
--- a/docs/QUICK_REFERENCE.md
+++ b/docs/QUICK_REFERENCE.md
@@ -39,9 +39,10 @@ machines (machineid, hostname, serialnumber, alias, machinenumber,
          loggedinuser, machinenotes, isactive, maptop, mapleft, lastupdated)

 -- Identify record type:
--   PCs:             pctypeid IS NOT NULL (machinetypeid 33-35)
--   Equipment:       pctypeid IS NULL AND machinetypeid < 16
+--   PCs:             pctypeid IS NOT NULL (machinetypeid 33+)
+--   Equipment:       pctypeid IS NULL AND machinetypeid NOT IN (16,17,18,19,20) AND machinetypeid < 33
 --   Network Devices: machinetypeid IN (16,17,18,19,20)
+-- Equipment types: 1-15, 21-25 (e.g., Lathe, Mill, CMM, Hobbing Machine, etc.)
 ```

 ### PC-Related Tables
--- a/docs/STANDARDS.md
+++ b/docs/STANDARDS.md
@@ -1,8 +1,8 @@
 # Classic ASP Development Standards
 ## ShopDB Application

-**Version:** 1.0
-**Last Updated:** 2025-10-10
+**Version:** 1.1
+**Last Updated:** 2025-12-11
 **Status:** MANDATORY for all new development and modifications

 ---
@@ -414,7 +414,7 @@ Standard error codes for user messaging:
 '   - machines (primary)
 '   - machinetypes, models, vendors, businessunits
 '   - printers (LEFT JOIN - may be NULL)
-'   - pc (LEFT JOIN - may be NULL)
+'   - communications (LEFT JOIN - may be NULL)
 '
 ' SECURITY:
 '   - Requires authentication
@@ -691,9 +691,9 @@ Sub LogError(source, errorNum, errorDesc)
 **Style:** lowercase, plural nouns

 ```sql
-machines
+machines       -- Unified table: Equipment, PCs, Network Devices
 printers
-pc  (exception - acronym)
+communications -- Network interfaces (IP/MAC)
 machinetypes
 vendors
 models
@@ -713,6 +713,23 @@ createdate
 lastupdated
 ```

+### Column Naming Gotchas
+
+**IMPORTANT:** Be aware of these non-obvious column names:
+
+| Expected | Actual | Table |
+|----------|--------|-------|
+| `ipaddress` | `address` | communications |
+| `gateway` | `defaultgateway` | communications |
+| `notes` | `machinenotes` | machines |
+| `pcid` | `machineid` | machines (PCs are in unified table) |
+| `pc_comm_config` | `commconfig` | (table name) |
+| `pc_dnc_config` | `dncconfig` | (table name) |
+
+**PC Identification:** PCs are in the `machines` table, identified by:
+- `pctypeid IS NOT NULL`
+- `machinetypeid IN (33, 34, 35)`
+
 ---

 ## Documentation Standards
@@ -904,6 +921,22 @@ Response.Write(RenderCachedUnitDropdown())

 ## Testing Standards

+### Automated Form Testing
+
+**REQUIRED:** Run the comprehensive test suite after making changes to ASP pages.
+
+```bash
+./tests/test_forms.sh
+```
+
+This script tests 41 endpoints including:
+- Page load tests (dashboards, list views, maps)
+- Add form page loads
+- Form submissions (notifications, equipment, printers, subnets, applications, KB, vendors, models, network devices)
+- API endpoints
+
+Test data uses `AUTOTEST_` prefix for easy cleanup. See `tests/cleanup_test_data.sql`.
+
 ### Unit Testing

 **REQUIRED:** Test all validation functions.
@@ -1021,6 +1054,20 @@ Before committing code, verify:
 2. Never commit `config.asp` to source control
 3. Add `config.asp` to `.gitignore`

+### Secrets Management
+
+**MANDATORY:** Store sensitive credentials in `secrets.md` (gitignored).
+
+**Contents:**
+- Zabbix API URL and token
+- Gitea API URL and token
+- Database credentials (per environment)
+
+**NEVER commit:**
+- API tokens
+- Database passwords
+- Authentication credentials
+
 ### Configuration Template

 ```vbscript
@@ -1216,6 +1263,7 @@ Call CleanupResources()
 | Version | Date | Changes | Author |
 |---------|------|---------|--------|
 | 1.0 | 2025-10-10 | Initial standards document created from audit findings | Claude |
+| 1.1 | 2025-12-11 | Updated for Phase 2 schema (unified machines table), added test script reference, secrets management, column naming gotchas | Claude |

 ---