<% '============================================================================= ' FILE: updatepcdirect.asp ' PURPOSE: Update PC/device with optional vendor and model creation ' SECURITY: Parameterized queries, HTML encoding, input validation ' UPDATED: 2025-10-27 - Migrated to secure patterns '============================================================================= %> <% ' Get form data Dim pcid, vendorid, modelnumberid, machinenumber pcid = Trim(Request.Form("pcid")) vendorid = Trim(Request.Form("vendorid")) modelnumberid = Trim(Request.Form("modelid")) machinenumber = Trim(Request.Form("machinenumber")) ' Get form inputs for new model Dim newmodelnumber, newvendorid newmodelnumber = Trim(Request.Form("newpcmodelnumber")) newvendorid = Trim(Request.Form("newpcmodelvendorid")) ' Get form inputs for new vendor Dim newvendorname newvendorname = Trim(Request.Form("newpcvendorname")) ' Validate required ID fields If pcid = "" Or Not IsNumeric(pcid) Then objConn.Close ShowError "Invalid PC ID.", "displaypcs.asp" Response.End End If If CLng(pcid) < 1 Then objConn.Close ShowError "Invalid PC ID.", "displaypcs.asp" Response.End End If ' Verify the PC exists using parameterized query - PHASE 2: Use machines table Dim checkSQL, rsCheck, cmdCheck checkSQL = "SELECT COUNT(*) as cnt FROM machines WHERE machineid = ? AND pctypeid IS NOT NULL" Set cmdCheck = Server.CreateObject("ADODB.Command") cmdCheck.ActiveConnection = objConn cmdCheck.CommandText = checkSQL cmdCheck.CommandType = 1 cmdCheck.Parameters.Append cmdCheck.CreateParameter("@pcid", 3, 1, , CLng(pcid)) Set rsCheck = cmdCheck.Execute If Not rsCheck.EOF Then If CLng(rsCheck("cnt")) = 0 Then rsCheck.Close Set rsCheck = Nothing Set cmdCheck = Nothing objConn.Close Response.Redirect("displaypcs.asp") Response.End End If End If rsCheck.Close Set rsCheck = Nothing Set cmdCheck = Nothing ' Validate optional ID fields - allow "new" as a valid value for model and vendor If vendorid <> "" And vendorid <> "new" Then If Not IsNumeric(vendorid) Or CLng(vendorid) < 1 Then objConn.Close ShowError "Invalid vendor ID.", "displaypc.asp?machineid=" & pcid Response.End End If End If If modelnumberid <> "" And modelnumberid <> "new" Then If Not IsNumeric(modelnumberid) Or CLng(modelnumberid) < 1 Then objConn.Close ShowError "Invalid model ID.", "displaypc.asp?machineid=" & pcid Response.End End If End If ' Handle new vendor creation If vendorid = "new" Then If Len(newvendorname) = 0 Then objConn.Close ShowError "Vendor name is required.", "displaypc.asp?machineid=" & pcid Response.End End If If Len(newvendorname) > 50 Then objConn.Close ShowError "Vendor name too long.", "displaypc.asp?machineid=" & pcid Response.End End If ' Insert new vendor using parameterized query (with ispc=1) Dim sqlNewVendor, cmdNewVendor sqlNewVendor = "INSERT INTO vendors (vendor, isactive, isprinter, ispc, ismachine) VALUES (?, 1, 0, 1, 0)" Set cmdNewVendor = Server.CreateObject("ADODB.Command") cmdNewVendor.ActiveConnection = objConn cmdNewVendor.CommandText = sqlNewVendor cmdNewVendor.CommandType = 1 cmdNewVendor.Parameters.Append cmdNewVendor.CreateParameter("@vendor", 200, 1, 50, newvendorname) On Error Resume Next cmdNewVendor.Execute If Err.Number <> 0 Then Dim vendorErr vendorErr = Err.Description Set cmdNewVendor = Nothing objConn.Close ShowError "Error creating vendor: " & Server.HTMLEncode(vendorErr), "displaypc.asp?machineid=" & pcid Response.End End If ' Get the newly created vendor ID Dim rsNewVendor Set rsNewVendor = objConn.Execute("SELECT LAST_INSERT_ID() AS newid") vendorid = CLng(rsNewVendor("newid")) rsNewVendor.Close Set rsNewVendor = Nothing Set cmdNewVendor = Nothing On Error Goto 0 End If ' Handle new model creation If modelnumberid = "new" Then If Len(newmodelnumber) = 0 Then objConn.Close ShowError "Model number is required.", "displaypc.asp?machineid=" & pcid Response.End End If If Len(newvendorid) = 0 Then objConn.Close ShowError "Vendor is required for new model.", "displaypc.asp?machineid=" & pcid Response.End End If If Len(newmodelnumber) > 50 Then objConn.Close ShowError "Model number too long.", "displaypc.asp?machineid=" & pcid Response.End End If ' If vendor was also created new, use that vendor ID If vendorid <> "" And IsNumeric(vendorid) Then newvendorid = vendorid End If ' Insert new model using parameterized query Dim sqlNewModel, cmdNewModel sqlNewModel = "INSERT INTO models (modelnumber, vendorid, isactive) VALUES (?, ?, 1)" Set cmdNewModel = Server.CreateObject("ADODB.Command") cmdNewModel.ActiveConnection = objConn cmdNewModel.CommandText = sqlNewModel cmdNewModel.CommandType = 1 cmdNewModel.Parameters.Append cmdNewModel.CreateParameter("@modelnumber", 200, 1, 50, newmodelnumber) cmdNewModel.Parameters.Append cmdNewModel.CreateParameter("@vendorid", 3, 1, , CLng(newvendorid)) On Error Resume Next cmdNewModel.Execute If Err.Number <> 0 Then Dim modelErr modelErr = Err.Description Set cmdNewModel = Nothing objConn.Close ShowError "Error creating model: " & Server.HTMLEncode(modelErr), "displaypc.asp?machineid=" & pcid Response.End End If ' Get the newly created model ID Dim rsNewModel Set rsNewModel = objConn.Execute("SELECT LAST_INSERT_ID() AS newid") modelnumberid = CLng(rsNewModel("newid")) rsNewModel.Close Set rsNewModel = Nothing Set cmdNewModel = Nothing On Error Goto 0 End If ' Validate machine number length If machinenumber <> "" And Len(machinenumber) > 50 Then objConn.Close ShowError "Machine number too long.", "displaypc.asp?machineid=" & pcid Response.End End If ' Build UPDATE statement for PC using parameterized query - PHASE 2: Use machines table Dim strSQL, cmdUpdate strSQL = "UPDATE machines SET modelnumberid = ?, machinenumber = ?, lastupdated = NOW() WHERE machineid = ? AND pctypeid IS NOT NULL" Set cmdUpdate = Server.CreateObject("ADODB.Command") cmdUpdate.ActiveConnection = objConn cmdUpdate.CommandText = strSQL cmdUpdate.CommandType = 1 ' Handle optional modelnumberid If modelnumberid <> "" And IsNumeric(modelnumberid) Then cmdUpdate.Parameters.Append cmdUpdate.CreateParameter("@modelnumberid", 3, 1, , CLng(modelnumberid)) Else cmdUpdate.Parameters.Append cmdUpdate.CreateParameter("@modelnumberid", 3, 1, , Null) End If ' Handle optional machinenumber If machinenumber <> "" Then cmdUpdate.Parameters.Append cmdUpdate.CreateParameter("@machinenumber", 200, 1, 50, machinenumber) Else cmdUpdate.Parameters.Append cmdUpdate.CreateParameter("@machinenumber", 200, 1, 50, Null) End If cmdUpdate.Parameters.Append cmdUpdate.CreateParameter("@pcid", 3, 1, , CLng(pcid)) On Error Resume Next cmdUpdate.Execute If Err.Number <> 0 Then Dim updateErr updateErr = Err.Description Set cmdUpdate = Nothing objConn.Close ShowError "Error updating PC: " & Server.HTMLEncode(updateErr), "displaypc.asp?machineid=" & pcid Response.End End If Set cmdUpdate = Nothing objConn.Close ' Success - show success message ShowSuccess "PC updated successfully.", "displaypc.asp?machineid=" & pcid, "PC details" %>