<% '============================================================================= ' FILE: editprinter.asp ' PURPOSE: Edit printer information with nested entity creation ' SECURITY: Parameterized queries, HTML encoding, input validation ' UPDATED: 2025-10-27 - Migrated to secure patterns '============================================================================= %>
<% '============================================================================= ' SECURITY: Validate printerid from querystring '============================================================================= Dim printerid printerid = GetSafeInteger("QS", "printerid", 0, 1, 999999) If printerid = 0 Then Response.Write("
Error: Invalid printer ID.
") Response.Write("Go back") objConn.Close Response.End End If '============================================================================= ' SECURITY: Get and validate all form inputs '============================================================================= Dim modelid, serialnumber, ipaddress, fqdn, printercsfname, printerwindowsname, machineid, maptop, mapleft modelid = GetSafeString("FORM", "modelid", "", 1, 50) serialnumber = GetSafeString("FORM", "serialnumber", "", 0, 100) ipaddress = GetSafeString("FORM", "ipaddress", "", 0, 50) fqdn = GetSafeString("FORM", "fqdn", "", 0, 255) printercsfname = GetSafeString("FORM", "printercsfname", "", 0, 50) printerwindowsname = GetSafeString("FORM", "printerwindowsname", "", 0, 255) machineid = GetSafeInteger("FORM", "machineid", 0, 1, 999999) maptop = GetSafeInteger("FORM", "maptop", 50, 0, 9999) mapleft = GetSafeInteger("FORM", "mapleft", 50, 0, 9999) ' Get form inputs for new model Dim newmodelnumber, newvendorid, newmodelnotes, newmodeldocpath newmodelnumber = GetSafeString("FORM", "newmodelnumber", "", 0, 255) newvendorid = GetSafeString("FORM", "newvendorid", "", 0, 50) newmodelnotes = GetSafeString("FORM", "newmodelnotes", "", 0, 255) newmodeldocpath = GetSafeString("FORM", "newmodeldocpath", "", 0, 255) ' Get form inputs for new vendor Dim newvendorname newvendorname = GetSafeString("FORM", "newvendorname", "", 0, 50) '============================================================================= ' Validate required fields '============================================================================= If modelid <> "new" And (Not IsNumeric(modelid)) Then Response.Write("
Error: Invalid model ID.
") Response.Write("Go back") objConn.Close Response.End End If If machineid = 0 Then Response.Write("
Error: Invalid machine ID.
") Response.Write("Go back") objConn.Close Response.End End If '============================================================================= ' SECURITY: Handle new model creation with parameterized query '============================================================================= If modelid = "new" Then If Len(newmodelnumber) = 0 Then Response.Write("
New model number is required
") Response.Write("Go back") objConn.Close Response.End End If If Len(newvendorid) = 0 Then Response.Write("
Vendor is required for new model
") Response.Write("Go back") objConn.Close Response.End End If ' Handle new vendor creation (nested) If newvendorid = "new" Then If Len(newvendorname) = 0 Then Response.Write("
New vendor name is required
") Response.Write("Go back") objConn.Close Response.End End If ' Insert new vendor using parameterized query Dim sqlNewVendor sqlNewVendor = "INSERT INTO vendors (vendor, isactive, isprinter, ispc, ismachine) VALUES (?, 1, 1, 0, 0)" On Error Resume Next Dim cmdNewVendor Set cmdNewVendor = Server.CreateObject("ADODB.Command") cmdNewVendor.ActiveConnection = objConn cmdNewVendor.CommandText = sqlNewVendor cmdNewVendor.CommandType = 1 cmdNewVendor.Parameters.Append cmdNewVendor.CreateParameter("@vendor", 200, 1, 50, newvendorname) cmdNewVendor.Execute If Err.Number <> 0 Then Response.Write("
Error creating new vendor: " & Server.HTMLEncode(Err.Description) & "
") Response.Write("Go back") objConn.Close Response.End End If ' Get the newly created vendor ID Dim rsNewVendor Set rsNewVendor = objConn.Execute("SELECT LAST_INSERT_ID() AS newid") newvendorid = CLng(rsNewVendor("newid")) rsNewVendor.Close Set rsNewVendor = Nothing Set cmdNewVendor = Nothing On Error Goto 0 End If ' Insert new model using parameterized query Dim sqlNewModel sqlNewModel = "INSERT INTO models (modelnumber, vendorid, notes, documentationpath, isactive) VALUES (?, ?, ?, ?, 1)" On Error Resume Next Dim cmdNewModel Set cmdNewModel = Server.CreateObject("ADODB.Command") cmdNewModel.ActiveConnection = objConn cmdNewModel.CommandText = sqlNewModel cmdNewModel.CommandType = 1 cmdNewModel.Parameters.Append cmdNewModel.CreateParameter("@modelnumber", 200, 1, 255, newmodelnumber) cmdNewModel.Parameters.Append cmdNewModel.CreateParameter("@vendorid", 3, 1, , CLng(newvendorid)) cmdNewModel.Parameters.Append cmdNewModel.CreateParameter("@notes", 200, 1, 255, newmodelnotes) cmdNewModel.Parameters.Append cmdNewModel.CreateParameter("@documentationpath", 200, 1, 255, newmodeldocpath) cmdNewModel.Execute If Err.Number <> 0 Then Response.Write("
Error creating new model: " & Server.HTMLEncode(Err.Description) & "
") Response.Write("Go back") objConn.Close Response.End End If ' Get the newly created model ID Dim rsNewModel Set rsNewModel = objConn.Execute("SELECT LAST_INSERT_ID() AS newid") modelid = CLng(rsNewModel("newid")) rsNewModel.Close Set rsNewModel = Nothing Set cmdNewModel = Nothing On Error Goto 0 End If '============================================================================= ' SECURITY: Update printer using parameterized query '============================================================================= Dim strSQL strSQL = "UPDATE printers SET modelid = ?, serialnumber = ?, ipaddress = ?, fqdn = ?, " & _ "printercsfname = ?, printerwindowsname = ?, machineid = ?, maptop = ?, mapleft = ? " & _ "WHERE printerid = ?" On Error Resume Next Dim cmdUpdate Set cmdUpdate = Server.CreateObject("ADODB.Command") cmdUpdate.ActiveConnection = objConn cmdUpdate.CommandText = strSQL cmdUpdate.CommandType = 1 ' Add parameters in order cmdUpdate.Parameters.Append cmdUpdate.CreateParameter("@modelid", 3, 1, , CLng(modelid)) cmdUpdate.Parameters.Append cmdUpdate.CreateParameter("@serialnumber", 200, 1, 100, serialnumber) cmdUpdate.Parameters.Append cmdUpdate.CreateParameter("@ipaddress", 200, 1, 50, ipaddress) cmdUpdate.Parameters.Append cmdUpdate.CreateParameter("@fqdn", 200, 1, 255, fqdn) cmdUpdate.Parameters.Append cmdUpdate.CreateParameter("@printercsfname", 200, 1, 50, printercsfname) cmdUpdate.Parameters.Append cmdUpdate.CreateParameter("@printerwindowsname", 200, 1, 255, printerwindowsname) cmdUpdate.Parameters.Append cmdUpdate.CreateParameter("@machineid", 3, 1, , CLng(machineid)) cmdUpdate.Parameters.Append cmdUpdate.CreateParameter("@maptop", 3, 1, , CLng(maptop)) cmdUpdate.Parameters.Append cmdUpdate.CreateParameter("@mapleft", 3, 1, , CLng(mapleft)) cmdUpdate.Parameters.Append cmdUpdate.CreateParameter("@printerid", 3, 1, , CLng(printerid)) cmdUpdate.Execute If Err.Number <> 0 Then Response.Write("
Error: " & Server.HTMLEncode(Err.Description) & "
") Response.Write("Go back") Set cmdUpdate = Nothing objConn.Close Response.End End If Set cmdUpdate = Nothing On Error Goto 0 %> <% '============================================================================= ' CLEANUP '============================================================================= objConn.Close %>