<%
'=============================================================================
' FILE: savemodeldirect.asp
' PURPOSE: Create new model with optional vendor creation
' SECURITY: Parameterized queries, HTML encoding, input validation
' UPDATED: 2025-10-27 - Migrated to secure patterns
'=============================================================================
%>
<%
' Get and validate all inputs
Dim modelnumber, vendorid, notes, documentationpath
Dim newvendorname, isprinter, ispc, ismachine
Dim modelisprinter, modelispc, modelismachine
Dim machinetypeid, newmachinetypename, newmachinetypecategory
modelnumber = Trim(Request.Form("modelnumber"))
vendorid = Trim(Request.Form("vendorid"))
notes = Trim(Request.Form("notes"))
documentationpath = Trim(Request.Form("documentationpath"))
' New vendor fields
newvendorname = Trim(Request.Form("newvendorname"))
isprinter = Request.Form("isprinter")
ispc = Request.Form("ispc")
ismachine = Request.Form("ismachine")
' Model type checkboxes
modelisprinter = Request.Form("modelisprinter")
modelispc = Request.Form("modelispc")
modelismachine = Request.Form("modelismachine")
' Machine type fields
machinetypeid = Trim(Request.Form("machinetypeid"))
newmachinetypename = Trim(Request.Form("newmachinetypename"))
newmachinetypecategory = Trim(Request.Form("newmachinetypecategory"))
' Validate required fields
If modelnumber = "" Then
objConn.Close
ShowError "Model number is required.", "addmodel.asp"
Response.End
End If
' Validate field lengths
If Len(modelnumber) > 255 Then
objConn.Close
ShowError "Model number too long.", "addmodel.asp"
Response.End
End If
If Len(notes) > 255 Then
objConn.Close
ShowError "Notes too long.", "addmodel.asp"
Response.End
End If
If Len(documentationpath) > 255 Then
objConn.Close
ShowError "Documentation path too long.", "addmodel.asp"
Response.End
End If
' Check if we need to create a new vendor first
If vendorid = "new" Then
If newvendorname = "" Then
objConn.Close
ShowError "Manufacturer name is required when adding a new manufacturer.", "addmodel.asp"
Response.End
End If
If Len(newvendorname) > 50 Then
objConn.Close
ShowError "Manufacturer name too long.", "addmodel.asp"
Response.End
End If
' Check if vendor already exists using parameterized query
Dim checkSQL, rsCheck, cmdCheck
checkSQL = "SELECT COUNT(*) as cnt FROM vendors WHERE LOWER(vendor) = LOWER(?)"
Set cmdCheck = Server.CreateObject("ADODB.Command")
cmdCheck.ActiveConnection = objConn
cmdCheck.CommandText = checkSQL
cmdCheck.CommandType = 1
cmdCheck.Parameters.Append cmdCheck.CreateParameter("@vendor", 200, 1, 50, newvendorname)
Set rsCheck = cmdCheck.Execute
If Not rsCheck.EOF Then
If Not IsNull(rsCheck("cnt")) Then
If CLng(rsCheck("cnt")) > 0 Then
rsCheck.Close
Set rsCheck = Nothing
Set cmdCheck = Nothing
objConn.Close
ShowError "Manufacturer '" & Server.HTMLEncode(Request.Form("newvendorname")) & "' already exists.", "addmodel.asp"
Response.End
End If
End If
End If
rsCheck.Close
Set rsCheck = Nothing
Set cmdCheck = Nothing
' Convert vendor checkboxes
Dim iPrint, iPC, iMach
If isprinter = "1" Then iPrint = 1 Else iPrint = 0
If ispc = "1" Then iPC = 1 Else iPC = 0
If ismachine = "1" Then iMach = 1 Else iMach = 0
' Insert new vendor using parameterized query
Dim vendorSQL, cmdVendor
vendorSQL = "INSERT INTO vendors (vendor, isactive, isprinter, ispc, ismachine) VALUES (?, 1, ?, ?, ?)"
Set cmdVendor = Server.CreateObject("ADODB.Command")
cmdVendor.ActiveConnection = objConn
cmdVendor.CommandText = vendorSQL
cmdVendor.CommandType = 1
cmdVendor.Parameters.Append cmdVendor.CreateParameter("@vendor", 200, 1, 50, newvendorname)
cmdVendor.Parameters.Append cmdVendor.CreateParameter("@isprinter", 3, 1, , iPrint)
cmdVendor.Parameters.Append cmdVendor.CreateParameter("@ispc", 3, 1, , iPC)
cmdVendor.Parameters.Append cmdVendor.CreateParameter("@ismachine", 3, 1, , iMach)
On Error Resume Next
cmdVendor.Execute
If Err.Number <> 0 Then
Set cmdVendor = Nothing
objConn.Close
ShowError "Error creating manufacturer: " & Server.HTMLEncode(Err.Description), "addmodel.asp"
Response.End
End If
' Get the new vendor ID
Set rsCheck = objConn.Execute("SELECT LAST_INSERT_ID() as newid")
vendorid = 0
If Not rsCheck.EOF Then
If Not IsNull(rsCheck("newid")) Then
vendorid = CLng(rsCheck("newid"))
End If
End If
rsCheck.Close
Set rsCheck = Nothing
Set cmdVendor = Nothing
On Error Goto 0
Else
' Validate existing vendor ID
If Not IsNumeric(vendorid) Or CLng(vendorid) < 1 Then
objConn.Close
ShowError "Invalid manufacturer ID.", "addmodel.asp"
Response.End
End If
End If
' Update vendor's type flags based on model type selection
If modelisprinter = "1" OR modelispc = "1" OR modelismachine = "1" Then
Dim updateVendorSQL, cmdUpdateVendor
updateVendorSQL = "UPDATE vendors SET isprinter = CASE WHEN ? = 1 THEN 1 ELSE isprinter END, " & _
"ispc = CASE WHEN ? = 1 THEN 1 ELSE ispc END, " & _
"ismachine = CASE WHEN ? = 1 THEN 1 ELSE ismachine END " & _
"WHERE vendorid = ?"
Set cmdUpdateVendor = Server.CreateObject("ADODB.Command")
cmdUpdateVendor.ActiveConnection = objConn
cmdUpdateVendor.CommandText = updateVendorSQL
cmdUpdateVendor.CommandType = 1
Dim printerFlag, pcFlag, machineFlag
If modelisprinter = "1" Then printerFlag = 1 Else printerFlag = 0
If modelispc = "1" Then pcFlag = 1 Else pcFlag = 0
If modelismachine = "1" Then machineFlag = 1 Else machineFlag = 0
cmdUpdateVendor.Parameters.Append cmdUpdateVendor.CreateParameter("@isprinter", 3, 1, , printerFlag)
cmdUpdateVendor.Parameters.Append cmdUpdateVendor.CreateParameter("@ispc", 3, 1, , pcFlag)
cmdUpdateVendor.Parameters.Append cmdUpdateVendor.CreateParameter("@ismachine", 3, 1, , machineFlag)
cmdUpdateVendor.Parameters.Append cmdUpdateVendor.CreateParameter("@vendorid", 3, 1, , CLng(vendorid))
cmdUpdateVendor.Execute
Set cmdUpdateVendor = Nothing
End If
' Handle new machine type creation if needed
If machinetypeid = "new" Then
If newmachinetypename = "" Then
objConn.Close
ShowError "Machine type name is required when adding a new type.", "addmodel.asp"
Response.End
End If
If Len(newmachinetypename) > 50 Then
objConn.Close
ShowError "Machine type name too long.", "addmodel.asp"
Response.End
End If
' Check if machine type already exists
Dim checkMTSQL, rsMTCheck, cmdMTCheck
checkMTSQL = "SELECT COUNT(*) as cnt FROM machinetypes WHERE LOWER(machinetype) = LOWER(?)"
Set cmdMTCheck = Server.CreateObject("ADODB.Command")
cmdMTCheck.ActiveConnection = objConn
cmdMTCheck.CommandText = checkMTSQL
cmdMTCheck.CommandType = 1
cmdMTCheck.Parameters.Append cmdMTCheck.CreateParameter("@machinetype", 200, 1, 50, newmachinetypename)
Set rsMTCheck = cmdMTCheck.Execute
If Not rsMTCheck.EOF Then
If Not IsNull(rsMTCheck("cnt")) Then
If CLng(rsMTCheck("cnt")) > 0 Then
rsMTCheck.Close
Set rsMTCheck = Nothing
Set cmdMTCheck = Nothing
objConn.Close
ShowError "Machine type '" & Server.HTMLEncode(newmachinetypename) & "' already exists.", "addmodel.asp"
Response.End
End If
End If
End If
rsMTCheck.Close
Set rsMTCheck = Nothing
Set cmdMTCheck = Nothing
' Default category if not provided
If newmachinetypecategory = "" Then newmachinetypecategory = "Equipment"
' Insert new machine type
Dim mtSQL, cmdMT
mtSQL = "INSERT INTO machinetypes (machinetype, isactive, category) VALUES (?, 1, ?)"
Set cmdMT = Server.CreateObject("ADODB.Command")
cmdMT.ActiveConnection = objConn
cmdMT.CommandText = mtSQL
cmdMT.CommandType = 1
cmdMT.Parameters.Append cmdMT.CreateParameter("@machinetype", 200, 1, 50, newmachinetypename)
cmdMT.Parameters.Append cmdMT.CreateParameter("@category", 200, 1, 50, newmachinetypecategory)
On Error Resume Next
cmdMT.Execute
If Err.Number <> 0 Then
Set cmdMT = Nothing
objConn.Close
ShowError "Error creating machine type: " & Server.HTMLEncode(Err.Description), "addmodel.asp"
Response.End
End If
' Get the new machine type ID
Set rsMTCheck = objConn.Execute("SELECT LAST_INSERT_ID() as newid")
machinetypeid = 0
If Not rsMTCheck.EOF Then
If Not IsNull(rsMTCheck("newid")) Then
machinetypeid = CLng(rsMTCheck("newid"))
End If
End If
rsMTCheck.Close
Set rsMTCheck = Nothing
Set cmdMT = Nothing
On Error Goto 0
ElseIf machinetypeid <> "" Then
' Validate existing machine type ID
If Not IsNumeric(machinetypeid) Or CLng(machinetypeid) < 1 Then
machinetypeid = ""
End If
End If
' Check if model already exists for this vendor using parameterized query
checkSQL = "SELECT COUNT(*) as cnt FROM models WHERE LOWER(modelnumber) = LOWER(?) AND vendorid = ?"
Set cmdCheck = Server.CreateObject("ADODB.Command")
cmdCheck.ActiveConnection = objConn
cmdCheck.CommandText = checkSQL
cmdCheck.CommandType = 1
cmdCheck.Parameters.Append cmdCheck.CreateParameter("@modelnumber", 200, 1, 255, modelnumber)
cmdCheck.Parameters.Append cmdCheck.CreateParameter("@vendorid", 3, 1, , CLng(vendorid))
Set rsCheck = cmdCheck.Execute
If Not rsCheck.EOF Then
If Not IsNull(rsCheck("cnt")) Then
If CLng(rsCheck("cnt")) > 0 Then
rsCheck.Close
Set rsCheck = Nothing
Set cmdCheck = Nothing
objConn.Close
ShowError "Model '" & Server.HTMLEncode(Request.Form("modelnumber")) & "' already exists for this manufacturer.", "addmodel.asp"
Response.End
End If
End If
End If
rsCheck.Close
Set rsCheck = Nothing
Set cmdCheck = Nothing
' Insert the new model using parameterized query
Dim modelSQL, cmdModel
If machinetypeid <> "" And IsNumeric(machinetypeid) Then
modelSQL = "INSERT INTO models (modelnumber, vendorid, notes, documentationpath, machinetypeid, isactive) VALUES (?, ?, ?, ?, ?, 1)"
Else
modelSQL = "INSERT INTO models (modelnumber, vendorid, notes, documentationpath, isactive) VALUES (?, ?, ?, ?, 1)"
End If
Set cmdModel = Server.CreateObject("ADODB.Command")
cmdModel.ActiveConnection = objConn
cmdModel.CommandText = modelSQL
cmdModel.CommandType = 1
cmdModel.Parameters.Append cmdModel.CreateParameter("@modelnumber", 200, 1, 255, modelnumber)
cmdModel.Parameters.Append cmdModel.CreateParameter("@vendorid", 3, 1, , CLng(vendorid))
cmdModel.Parameters.Append cmdModel.CreateParameter("@notes", 200, 1, 255, notes)
cmdModel.Parameters.Append cmdModel.CreateParameter("@documentationpath", 200, 1, 255, documentationpath)
If machinetypeid <> "" And IsNumeric(machinetypeid) Then
cmdModel.Parameters.Append cmdModel.CreateParameter("@machinetypeid", 3, 1, , CLng(machinetypeid))
End If
On Error Resume Next
cmdModel.Execute
If Err.Number <> 0 Then
Set cmdModel = Nothing
objConn.Close
ShowError Server.HTMLEncode(Err.Description), "addmodel.asp"
Response.End
End If
' Get the new model ID
Dim newModelId
Set rsCheck = objConn.Execute("SELECT LAST_INSERT_ID() as newid")
newModelId = 0
If Not rsCheck.EOF Then
If Not IsNull(rsCheck("newid")) Then
newModelId = CLng(rsCheck("newid"))
End If
End If
rsCheck.Close
Set rsCheck = Nothing
Set cmdModel = Nothing
On Error Goto 0
objConn.Close
If newModelId > 0 Then
ShowSuccess "Model '" & Server.HTMLEncode(Request.Form("modelnumber")) & "' added successfully.", "addmodel.asp", "add another"
Else
ShowError "Model was not added successfully.", "addmodel.asp"
End If
%>