<% '============================================================================= ' FILE: updatedevice_direct.asp ' PURPOSE: Update PC/device with optional vendor and model creation ' SECURITY: Parameterized queries, HTML encoding, input validation ' UPDATED: 2025-10-27 - Migrated to secure patterns '============================================================================= %> <% ' Get form data Dim pcid, pcstatusid, pctypeid, hostname, modelnumberid, machinenumber, isactive pcid = Trim(Request.Form("pcid")) pcstatusid = Trim(Request.Form("pcstatusid")) pctypeid = Trim(Request.Form("pctypeid")) hostname = Trim(Request.Form("hostname")) modelnumberid = Trim(Request.Form("modelnumberid")) machinenumber = Trim(Request.Form("machinenumber")) isactive = Trim(Request.Form("isactive")) ' Get form inputs for new model Dim newmodelnumber, newvendorid newmodelnumber = Trim(Request.Form("newmodelnumber")) newvendorid = Trim(Request.Form("newvendorid")) ' Get form inputs for new vendor Dim newvendorname newvendorname = Trim(Request.Form("newvendorname")) ' Validate required ID fields If Not IsNumeric(pcid) Or CLng(pcid) < 1 Then Response.Write("Invalid PC ID") objConn.Close Response.End End If If Not IsNumeric(pcstatusid) Or CLng(pcstatusid) < 1 Then Response.Redirect("editdevice.asp?pcid=" & pcid & "&error=REQUIRED_FIELD") objConn.Close Response.End End If ' Set isactive: if checkbox not checked, it won't be in form data If isactive = "1" Then isactive = 1 Else isactive = 0 End If ' Validate optional ID fields - allow "new" as a valid value for model If pctypeid <> "" Then If Not IsNumeric(pctypeid) Or CLng(pctypeid) < 1 Then Response.Redirect("editdevice.asp?pcid=" & pcid & "&error=INVALID_ID") objConn.Close Response.End End If End If If modelnumberid <> "" And modelnumberid <> "new" Then If Not IsNumeric(modelnumberid) Or CLng(modelnumberid) < 1 Then Response.Redirect("editdevice.asp?pcid=" & pcid & "&error=INVALID_ID") objConn.Close Response.End End If End If ' Handle new model creation If modelnumberid = "new" Then If Len(newmodelnumber) = 0 Then Response.Redirect("editdevice.asp?pcid=" & pcid & "&error=REQUIRED_FIELD") objConn.Close Response.End End If If Len(newvendorid) = 0 Then Response.Redirect("editdevice.asp?pcid=" & pcid & "&error=REQUIRED_FIELD") objConn.Close Response.End End If If Len(newmodelnumber) > 50 Then Response.Redirect("editdevice.asp?pcid=" & pcid & "&error=INVALID_INPUT") objConn.Close Response.End End If ' Handle new vendor creation (nested) If newvendorid = "new" Then If Len(newvendorname) = 0 Then Response.Redirect("editdevice.asp?pcid=" & pcid & "&error=REQUIRED_FIELD") objConn.Close Response.End End If If Len(newvendorname) > 50 Then Response.Redirect("editdevice.asp?pcid=" & pcid & "&error=INVALID_INPUT") objConn.Close Response.End End If ' Insert new vendor using parameterized query (with ispc=1) Dim sqlNewVendor, cmdNewVendor sqlNewVendor = "INSERT INTO vendors (vendor, isactive, isprinter, ispc, ismachine) VALUES (?, 1, 0, 1, 0)" Set cmdNewVendor = Server.CreateObject("ADODB.Command") cmdNewVendor.ActiveConnection = objConn cmdNewVendor.CommandText = sqlNewVendor cmdNewVendor.CommandType = 1 cmdNewVendor.Parameters.Append cmdNewVendor.CreateParameter("@vendor", 200, 1, 50, newvendorname) On Error Resume Next cmdNewVendor.Execute If Err.Number <> 0 Then Response.Redirect("editdevice.asp?pcid=" & pcid & "&error=db&msg=" & Server.URLEncode(Server.HTMLEncode(Err.Description))) Set cmdNewVendor = Nothing objConn.Close Response.End End If ' Get the newly created vendor ID Dim rsNewVendor Set rsNewVendor = objConn.Execute("SELECT LAST_INSERT_ID() AS newid") newvendorid = CLng(rsNewVendor("newid")) rsNewVendor.Close Set rsNewVendor = Nothing Set cmdNewVendor = Nothing On Error Goto 0 End If ' Insert new model using parameterized query Dim sqlNewModel, cmdNewModel sqlNewModel = "INSERT INTO models (modelnumber, vendorid, isactive) VALUES (?, ?, 1)" Set cmdNewModel = Server.CreateObject("ADODB.Command") cmdNewModel.ActiveConnection = objConn cmdNewModel.CommandText = sqlNewModel cmdNewModel.CommandType = 1 cmdNewModel.Parameters.Append cmdNewModel.CreateParameter("@modelnumber", 200, 1, 50, newmodelnumber) cmdNewModel.Parameters.Append cmdNewModel.CreateParameter("@vendorid", 3, 1, , CLng(newvendorid)) On Error Resume Next cmdNewModel.Execute If Err.Number <> 0 Then Response.Redirect("editdevice.asp?pcid=" & pcid & "&error=db&msg=" & Server.URLEncode(Server.HTMLEncode(Err.Description))) Set cmdNewModel = Nothing objConn.Close Response.End End If ' Get the newly created model ID Dim rsNewModel Set rsNewModel = objConn.Execute("SELECT LAST_INSERT_ID() AS newid") modelnumberid = CLng(rsNewModel("newid")) rsNewModel.Close Set rsNewModel = Nothing Set cmdNewModel = Nothing On Error Goto 0 End If ' Validate field lengths If hostname <> "" And Len(hostname) > 255 Then Response.Redirect("editdevice.asp?pcid=" & pcid & "&error=INVALID_INPUT") objConn.Close Response.End End If If machinenumber <> "" And Len(machinenumber) > 50 Then Response.Redirect("editdevice.asp?pcid=" & pcid & "&error=INVALID_INPUT") objConn.Close Response.End End If ' Build UPDATE query using parameterized query Dim updateSQL, cmdUpdate updateSQL = "UPDATE pc SET pcstatusid = ?, isactive = ?, pctypeid = ?, hostname = ?, modelnumberid = ?, machinenumber = ?, lastupdated = NOW() WHERE pcid = ?" Set cmdUpdate = Server.CreateObject("ADODB.Command") cmdUpdate.ActiveConnection = objConn cmdUpdate.CommandText = updateSQL cmdUpdate.CommandType = 1 cmdUpdate.Parameters.Append cmdUpdate.CreateParameter("@pcstatusid", 3, 1, , CLng(pcstatusid)) cmdUpdate.Parameters.Append cmdUpdate.CreateParameter("@isactive", 3, 1, , isactive) ' Handle optional pctypeid If pctypeid <> "" Then cmdUpdate.Parameters.Append cmdUpdate.CreateParameter("@pctypeid", 3, 1, , CLng(pctypeid)) Else cmdUpdate.Parameters.Append cmdUpdate.CreateParameter("@pctypeid", 3, 1, , Null) End If ' Handle optional hostname If hostname <> "" Then cmdUpdate.Parameters.Append cmdUpdate.CreateParameter("@hostname", 200, 1, 255, hostname) Else cmdUpdate.Parameters.Append cmdUpdate.CreateParameter("@hostname", 200, 1, 255, Null) End If ' Handle optional modelnumberid If modelnumberid <> "" Then cmdUpdate.Parameters.Append cmdUpdate.CreateParameter("@modelnumberid", 3, 1, , CLng(modelnumberid)) Else cmdUpdate.Parameters.Append cmdUpdate.CreateParameter("@modelnumberid", 3, 1, , Null) End If ' Handle optional machinenumber If machinenumber <> "" Then cmdUpdate.Parameters.Append cmdUpdate.CreateParameter("@machinenumber", 200, 1, 50, machinenumber) Else cmdUpdate.Parameters.Append cmdUpdate.CreateParameter("@machinenumber", 200, 1, 50, Null) End If cmdUpdate.Parameters.Append cmdUpdate.CreateParameter("@pcid", 3, 1, , CLng(pcid)) ' Execute update On Error Resume Next cmdUpdate.Execute If Err.Number = 0 Then Set cmdUpdate = Nothing objConn.Close ' Success - redirect back to scan page ready for next scan Response.Redirect("./adddevice.asp") Else Dim errMsg errMsg = Server.HTMLEncode(Err.Description) Set cmdUpdate = Nothing objConn.Close Response.Redirect("./editdevice.asp?pcid=" & pcid & "&error=db&msg=" & Server.URLEncode(errMsg)) End If %>