<%
'=============================================================================
' FILE: updatesubnetdirect.asp
' PURPOSE: Update existing subnet with IP address calculations
' SECURITY: Parameterized queries, HTML encoding, input validation
' UPDATED: 2025-10-27 - Migrated to secure patterns
'=============================================================================
%>
<%
' Get form inputs
Dim subnetid, vlan, ipstart, cidr, description, subnettypeid, cidrarray, ipend
subnetid = Trim(Request.Querystring("subnetid"))
vlan = Trim(Request.Form("vlan"))
ipstart = Trim(Request.Form("ipstart"))
cidr = Trim(Request.Form("cidr"))
description = Trim(Request.Form("description"))
subnettypeid = Trim(Request.Form("subnettypeid"))
' Validate required ID fields
If Not IsNumeric(subnetid) Or CLng(subnetid) < 1 Then
Response.Write("Invalid subnet ID")
objConn.Close
Response.End
End If
' Verify the subnet exists using parameterized query
Dim checkSQL, rsCheck, cmdCheck
checkSQL = "SELECT COUNT(*) as cnt FROM subnets WHERE subnetid = ?"
Set cmdCheck = Server.CreateObject("ADODB.Command")
cmdCheck.ActiveConnection = objConn
cmdCheck.CommandText = checkSQL
cmdCheck.CommandType = 1
cmdCheck.Parameters.Append cmdCheck.CreateParameter("@subnetid", 3, 1, , CLng(subnetid))
Set rsCheck = cmdCheck.Execute
Dim subnetExists
subnetExists = False
If Not rsCheck.EOF Then
If Not IsNull(rsCheck("cnt")) Then
If CLng(rsCheck("cnt")) > 0 Then
subnetExists = True
End If
End If
End If
rsCheck.Close
Set rsCheck = Nothing
Set cmdCheck = Nothing
If Not subnetExists Then
Response.Redirect("displaysubnets.asp")
objConn.Close
Response.End
End If
' Validate required fields
If vlan = "" Or ipstart = "" Or cidr = "" Or subnettypeid = "" Then
Response.Redirect("displaysubnet.asp?subnetid=" & subnetid & "&error=REQUIRED_FIELD")
objConn.Close
Response.End
End If
' Validate VLAN is numeric
If Not IsNumeric(vlan) Then
Response.Redirect("displaysubnet.asp?subnetid=" & subnetid & "&error=INVALID_INPUT")
objConn.Close
Response.End
End If
' Basic IP address validation
If Len(ipstart) < 7 Or Len(ipstart) > 15 Then
Response.Redirect("displaysubnet.asp?subnetid=" & subnetid & "&error=INVALID_IP")
objConn.Close
Response.End
End If
' Validate subnet type ID
If Not IsNumeric(subnettypeid) Or CLng(subnettypeid) < 1 Then
Response.Redirect("displaysubnet.asp?subnetid=" & subnetid & "&error=INVALID_ID")
objConn.Close
Response.End
End If
' Parse CIDR value (expected format: "cidr,ipend")
If InStr(cidr, ",") = 0 Then
Response.Redirect("displaysubnet.asp?subnetid=" & subnetid & "&error=INVALID_INPUT")
objConn.Close
Response.End
End If
cidrarray = Split(cidr, ",")
If UBound(cidrarray) < 1 Then
Response.Redirect("displaysubnet.asp?subnetid=" & subnetid & "&error=INVALID_INPUT")
objConn.Close
Response.End
End If
ipend = Trim(cidrarray(1))
cidr = Trim(cidrarray(0))
' Remove leading slash if present (CIDR comes as "/24" format)
If Left(cidr, 1) = "/" Then
cidr = Mid(cidr, 2)
End If
' Validate CIDR is numeric (0-32)
If Not IsNumeric(cidr) Then
Response.Redirect("displaysubnet.asp?subnetid=" & subnetid & "&error=INVALID_INPUT")
objConn.Close
Response.End
End If
If CInt(cidr) < 0 Or CInt(cidr) > 32 Then
Response.Redirect("displaysubnet.asp?subnetid=" & subnetid & "&error=INVALID_INPUT")
objConn.Close
Response.End
End If
' Validate ipend is numeric
If Not IsNumeric(ipend) Then
Response.Redirect("displaysubnet.asp?subnetid=" & subnetid & "&error=INVALID_INPUT")
objConn.Close
Response.End
End If
' Validate description length
If Len(description) > 500 Then
Response.Redirect("displaysubnet.asp?subnetid=" & subnetid & "&error=INVALID_INPUT")
objConn.Close
Response.End
End If
' Verify subnet type exists using parameterized query
checkSQL = "SELECT COUNT(*) as cnt FROM subnettypes WHERE subnettypeid = ?"
Set cmdCheck = Server.CreateObject("ADODB.Command")
cmdCheck.ActiveConnection = objConn
cmdCheck.CommandText = checkSQL
cmdCheck.CommandType = 1
cmdCheck.Parameters.Append cmdCheck.CreateParameter("@subnettypeid", 3, 1, , CLng(subnettypeid))
Set rsCheck = cmdCheck.Execute
Dim typeExists
typeExists = False
If Not rsCheck.EOF Then
If Not IsNull(rsCheck("cnt")) Then
If CLng(rsCheck("cnt")) > 0 Then
typeExists = True
End If
End If
End If
rsCheck.Close
Set rsCheck = Nothing
Set cmdCheck = Nothing
If Not typeExists Then
Response.Redirect("displaysubnet.asp?subnetid=" & subnetid & "&error=NOT_FOUND")
objConn.Close
Response.End
End If
' Update using parameterized query
Dim strSQL, cmdUpdate
strSQL = "UPDATE subnets SET vlan = ?, ipstart = INET_ATON(?), ipend = (INET_ATON(?) + ?), cidr = ?, subnettypeid = ?, description = ? WHERE subnetid = ?"
Set cmdUpdate = Server.CreateObject("ADODB.Command")
cmdUpdate.ActiveConnection = objConn
cmdUpdate.CommandText = strSQL
cmdUpdate.CommandType = 1
cmdUpdate.Parameters.Append cmdUpdate.CreateParameter("@vlan", 3, 1, , CLng(vlan))
cmdUpdate.Parameters.Append cmdUpdate.CreateParameter("@ipstart1", 200, 1, 15, ipstart)
cmdUpdate.Parameters.Append cmdUpdate.CreateParameter("@ipstart2", 200, 1, 15, ipstart)
cmdUpdate.Parameters.Append cmdUpdate.CreateParameter("@ipend", 3, 1, , CLng(ipend))
cmdUpdate.Parameters.Append cmdUpdate.CreateParameter("@cidr", 200, 1, 2, cidr)
cmdUpdate.Parameters.Append cmdUpdate.CreateParameter("@subnettypeid", 3, 1, , CLng(subnettypeid))
cmdUpdate.Parameters.Append cmdUpdate.CreateParameter("@description", 200, 1, 500, description)
cmdUpdate.Parameters.Append cmdUpdate.CreateParameter("@subnetid", 3, 1, , CLng(subnetid))
On Error Resume Next
cmdUpdate.Execute
If Err.Number = 0 Then
Set cmdUpdate = Nothing
objConn.Close
Response.Redirect("./displaysubnet.asp?subnetid=" & subnetid)
Else
Response.Write("Error: " & Server.HTMLEncode(Err.Description))
Set cmdUpdate = Nothing
objConn.Close
End If
%>