% '============================================================================= ' FILE: displaypc.asp ' PURPOSE: Display detailed PC information with edit capability ' SECURITY: Parameterized queries, HTML encoding, input validation ' UPDATED: 2025-11-07 - Phase 2 migration (mirrors displaymachine.asp) - Migrated to secure patterns '============================================================================= %>
<% theme = Request.Cookies("theme") If theme = "" Then theme = "bg-theme1" End If '============================================================================= ' SECURITY: Validate machineid or machinenumber parameter ' NOTE: This handles both database ID and machine number for flexibility '============================================================================= Dim pcid, hostname, paramValue pcid = GetSafeInteger("QS", "pcid", 0, 1, 999999) ' If machineid not provided, try machinenumber parameter IF pcid = 0 THEN hostname = Request.QueryString("hostname") IF hostname <> "" THEN ' Look up machineid by machinenumber Dim rsLookup, strLookupSQL strLookupSQL = "SELECT machineid FROM machines WHERE hostname = ? AND isactive = 1" Set rsLookup = ExecuteParameterizedQuery(objConn, strLookupSQL, Array(hostname)) IF NOT rsLookup.EOF THEN pcid = rsLookup("machineid") END IF rsLookup.Close Set rsLookup = Nothing END IF ELSE ' We have a machineid, but it might actually be a machine number ' Try to look it up as a machineid first Dim rsCheck strLookupSQL = "SELECT machineid FROM machines WHERE machineid = ? AND isactive = 1" Set rsCheck = ExecuteParameterizedQuery(objConn, strLookupSQL, Array(machineid)) ' If no machine found with that machineid, try treating it as a machine number IF rsCheck.EOF THEN rsCheck.Close strLookupSQL = "SELECT machineid FROM machines WHERE hostname = ? AND isactive = 1" Set rsCheck = ExecuteParameterizedQuery(objConn, strLookupSQL, Array(CStr(machineid))) IF NOT rsCheck.EOF THEN machineid = rsCheck("machineid") ELSE machineid = 0 ' Not found END IF END IF rsCheck.Close Set rsCheck = Nothing END IF IF pcid = 0 THEN objConn.Close Response.Redirect("displaypcs.asp") Response.End END IF '============================================================================= ' SECURITY: Use parameterized query to prevent SQL injection ' PHASE 2: Removed pc and pc_network_interfaces tables (migrated to machines) ' NOTE: Use explicit column names to avoid wildcard conflicts between tables '============================================================================= ' Phase 2: Only query columns that actually exist in machines table strSQL = "SELECT machines.machineid, machines.machinenumber, machines.alias, machines.hostname, " & _ "machines.serialnumber, machines.machinenotes, machines.mapleft, machines.maptop, " & _ "machines.modelnumberid, machines.businessunitid, machines.printerid, machines.pctypeid, " & _ "machines.loggedinuser, machines.osid, machines.machinestatusid, " & _ "machines.controllertypeid, machines.controllerosid, machines.requires_manual_machine_config, " & _ "machines.lastupdated, machines.dateadded, " & _ "pctypes.pctype, pctypes.pctypeid, " & _ "models.modelnumber, models.image, models.modelnumberid, " & _ "businessunits.businessunit, businessunits.businessunitid, " & _ "functionalaccounts.functionalaccount, functionalaccounts.functionalaccountid, " & _ "vendors.vendor, vendors.vendorid, " & _ "printers.ipaddress AS printerip, printers.printerid AS printer_id, " & _ "printers.printercsfname, printers.printerwindowsname " & _ "FROM machines " & _ "INNER JOIN models ON machines.modelnumberid = models.modelnumberid " & _ "LEFT JOIN pctypes ON models.machinetypeid = pctypes.pctypeid " & _ "INNER JOIN businessunits ON machines.businessunitid = businessunits.businessunitid " & _ "LEFT JOIN functionalaccounts ON machinetypes.functionalaccountid = functionalaccounts.functionalaccountid " & _ "INNER JOIN vendors ON models.vendorid = vendors.vendorid " & _ "LEFT JOIN printers ON machines.printerid = printers.printerid " & _ "WHERE machines.machineid = " WHERE machines.machineid = " & CLng(machineid) CLng(pcid) WHERE machines.machineid = " & CLng(machineid) " AND machines.pctypeid IS NOT NULL Set rs = objConn.Execute(strSQL) ' Check if machine exists If rs.EOF Then rs.Close Set rs = Nothing objConn.Close Response.Redirect("displaypcs.asp") Response.End End If %><%=Server.HTMLEncode(rs("machinenotes") & "")%>
Location:
Vendor:
Model:
Function:
BU:
IP Address:
MAC Address:
Controlling PC:
Printer:
<% If machineNumVal <> "N/A" Then %> <%=Server.HTMLEncode(machineNumVal)%> <% Else Response.Write("N/A") End If %>
<%=Server.HTMLEncode(vendorValM)%>
<%=Server.HTMLEncode(modelValM)%>
<%=Server.HTMLEncode(machineTypeVal)%>
<%=Server.HTMLEncode(buVal)%>
<% ' Get primary communication (IP and MAC) from communications table Dim rsPrimaryCom, strPrimaryComSQL, primaryIP, primaryMAC strPrimaryComSQL = "SELECT address, macaddress FROM communications WHERE machineid = ? AND isprimary = 1 AND isactive = 1 LIMIT 1" Set rsPrimaryCom = ExecuteParameterizedQuery(objConn, strPrimaryComSQL, Array(machineid)) If Not rsPrimaryCom.EOF Then primaryIP = rsPrimaryCom("address") & "" primaryMAC = rsPrimaryCom("macaddress") & "" Else ' Try to get first active communication if no primary set rsPrimaryCom.Close strPrimaryComSQL = "SELECT address, macaddress FROM communications WHERE machineid = ? AND isactive = 1 ORDER BY comid LIMIT 1" Set rsPrimaryCom = ExecuteParameterizedQuery(objConn, strPrimaryComSQL, Array(machineid)) If Not rsPrimaryCom.EOF Then primaryIP = rsPrimaryCom("address") & "" primaryMAC = rsPrimaryCom("macaddress") & "" Else primaryIP = "" primaryMAC = "" End If End If rsPrimaryCom.Close Set rsPrimaryCom = Nothing ' Display IP Address If primaryIP <> "" Then Response.Write("" & Server.HTMLEncode(primaryIP) & "
") Else Response.Write("N/A
") End If ' Display MAC Address If primaryMAC <> "" Then Response.Write("" & Server.HTMLEncode(primaryMAC) & "
") Else Response.Write("N/A
") End If ' Get controlling PC from relationships Dim rsControlPC, strControlPCSQL, controlPCHostname, controlPCID strControlPCSQL = "SELECT m.machineid, m.hostname, m.machinenumber FROM machinerelationships mr " & _ "JOIN relationshiptypes rt ON mr.relationshiptypeid = rt.relationshiptypeid " & _ "JOIN machines m ON mr.machineid = m.machineid " & _ "WHERE mr.related_machineid = ? AND rt.relationshiptype = 'Controls' AND mr.isactive = 1 LIMIT 1" Set rsControlPC = ExecuteParameterizedQuery(objConn, strControlPCSQL, Array(machineid)) If Not rsControlPC.EOF Then controlPCHostname = rsControlPC("hostname") & "" controlPCID = rsControlPC("machineid") If controlPCHostname = "" Then controlPCHostname = rsControlPC("hostname") & "" Response.Write("" & Server.HTMLEncode(controlPCHostname) & "
") Else Response.Write("N/A
") End If rsControlPC.Close Set rsControlPC = Nothing ' SECURITY: HTML encode printer data to prevent XSS ' Printer data - check if exists (LEFT JOIN may return NULL) If Not IsNull(rs("printerid")) And rs("printerid") <> "" Then Dim printerNameVal printerNameVal = rs("printerwindowsname") & "" If printerNameVal = "" Then printerNameVal = "Printer #" & rs("printerid") Response.Write("" & Server.HTMLEncode(printerNameVal) & "
") Else Response.Write("N/A
") End If %>| Type | IP Address | MAC Address | Interface | Primary | Status |
|---|---|---|---|---|---|
| No network communications configured | |||||
| " & Server.HTMLEncode(rs2("typename") & "") & " | ") Response.Write("" & ipAddr & " | ") Response.Write("" & macAddr & " | ") Response.Write("" & ifaceName & " | ") Response.Write("" & statusBadge & " | ") Response.Write("Active | ") Response.Write("
| PC Hostname | IP Address | Relationship |
|---|---|---|
| No controlling PC assigned | ||
| " & Server.HTMLEncode(pcHostname) & " | ") Response.Write("" & pcIP & " | ") Response.Write("" & Server.HTMLEncode(rs2("relationshiptype") & "") & " | ") Response.Write("
| Machine Number | Type | Model | Relationship |
|---|---|---|---|
| No dualpath relationships | |||
| " & Server.HTMLEncode(dualMachineNum) & " | ") Response.Write("" & dualType & " | ") Response.Write("" & dualModel & " | ") Response.Write("" & Server.HTMLEncode(rs2("relationshiptype") & "") & " | ") Response.Write("
Third Party Managed:
Third Party Manager:
OT Asset System:
DoD Asset Device Type:
Compliant:
<%=tpmBadge%>
<%=Server.HTMLEncode(thirdPartyManager)%>
<%=Server.HTMLEncode(otAssetSystem)%>
<%=Server.HTMLEncode(dodAssetDeviceType)%>
<% If Not IsNull(isCompliant) Then If isCompliant Then Response.Write("Yes") Else Response.Write("No") End If Else Response.Write("Not Assessed") End If %>
| Scan Name | Date | Result | Details |
|---|---|---|---|
| No security scans recorded | |||
| " & Server.HTMLEncode(scanName) & " | ") Response.Write("" & Server.HTMLEncode(scanDate) & " | ") Response.Write("" & resultBadge & " | ") Response.Write("" & scanDetails & " | ") Response.Write("
No compliance data available for this machine.
") rs2.Close Set rs2 = Nothing End If %>| " & Server.HTMLEncode(rs2("appname") & "") & " |