<% '============================================================================= ' FILE: saveprinter_direct.asp ' PURPOSE: Create printer with nested entity creation (vendor, model) ' SECURITY: Parameterized queries, HTML encoding, input validation ' UPDATED: 2025-10-27 - Migrated to secure patterns '============================================================================= %>
<% ' Get and validate all inputs Dim modelid, serialnumber, ipaddress, fqdn, printercsfname, printerwindowsname, printerpin, machineid, maptop, mapleft modelid = Trim(Request.Form("modelid")) serialnumber = Trim(Request.Form("serialnumber")) ipaddress = Trim(Request.Form("ipaddress")) fqdn = Trim(Request.Form("fqdn")) printercsfname = Trim(Request.Form("printercsfname")) printerwindowsname = Trim(Request.Form("printerwindowsname")) printerpin = Trim(Request.Form("printerpin")) machineid = Trim(Request.Form("machineid")) maptop = Trim(Request.Form("maptop")) mapleft = Trim(Request.Form("mapleft")) ' Get form inputs for new model Dim newmodelnumber, newvendorid, newmodelnotes, newmodeldocpath newmodelnumber = Trim(Request.Form("newmodelnumber")) newvendorid = Trim(Request.Form("newvendorid")) newmodelnotes = Trim(Request.Form("newmodelnotes")) newmodeldocpath = Trim(Request.Form("newmodeldocpath")) ' Get form inputs for new vendor Dim newvendorname newvendorname = Trim(Request.Form("newvendorname")) ' Validate required fields If modelid = "" Then objConn.Close ShowError "Error: Model is required.", "addprinter.asp" Response.End End If If modelid <> "new" And Not IsNumeric(modelid) Then objConn.Close ShowError "Error: Invalid model ID.", "addprinter.asp" Response.End End If ' Machine ID is now optional - only validate if provided If machineid <> "" And Not IsNumeric(machineid) Then objConn.Close ShowError "Error: Invalid machine ID.", "addprinter.asp" Response.End End If If serialnumber = "" Or ipaddress = "" Or printerwindowsname = "" Then objConn.Close ShowError "Error: Required fields missing.", "addprinter.asp" Response.End End If ' Validate field lengths If Len(serialnumber) > 100 Or Len(fqdn) > 255 Or Len(printercsfname) > 50 Or Len(printerwindowsname) > 255 Then objConn.Close ShowError "Error: Field length exceeded.", "addprinter.asp" Response.End End If ' Check if printer with same IP already exists using parameterized query Dim checkSQL, rsCheck, cmdCheck checkSQL = "SELECT COUNT(*) as cnt FROM printers WHERE ipaddress = ? AND isactive = 1" Set cmdCheck = Server.CreateObject("ADODB.Command") cmdCheck.ActiveConnection = objConn cmdCheck.CommandText = checkSQL cmdCheck.CommandType = 1 cmdCheck.Parameters.Append cmdCheck.CreateParameter("@ipaddress", 200, 1, 50, ipaddress) Set rsCheck = cmdCheck.Execute If Not rsCheck.EOF Then If Not IsNull(rsCheck("cnt")) Then If CLng(rsCheck("cnt")) > 0 Then rsCheck.Close Set rsCheck = Nothing Set cmdCheck = Nothing objConn.Close ShowError "Error: A printer with IP address '" & Server.HTMLEncode(ipaddress) & "' already exists.", "addprinter.asp" Response.End End If End If End If rsCheck.Close Set rsCheck = Nothing Set cmdCheck = Nothing ' Handle new model creation If modelid = "new" Then If Len(newmodelnumber) = 0 Then objConn.Close ShowError "New model number is required", "addprinter.asp" Response.End End If If Len(newvendorid) = 0 Then objConn.Close ShowError "Vendor is required for new model", "addprinter.asp" Response.End End If If Len(newmodelnumber) > 255 Or Len(newmodelnotes) > 255 Or Len(newmodeldocpath) > 255 Then objConn.Close ShowError "Model field length exceeded", "addprinter.asp" Response.End End If ' Handle new vendor creation (nested) If newvendorid = "new" Then If Len(newvendorname) = 0 Then objConn.Close ShowError "New vendor name is required", "addprinter.asp" Response.End End If If Len(newvendorname) > 50 Then objConn.Close ShowError "Vendor name too long", "addprinter.asp" Response.End End If ' Insert new vendor using parameterized query (with isprinter=1) Dim sqlNewVendor, cmdNewVendor sqlNewVendor = "INSERT INTO vendors (vendor, isactive, isprinter, ispc, ismachine) VALUES (?, 1, 1, 0, 0)" On Error Resume Next Set cmdNewVendor = Server.CreateObject("ADODB.Command") cmdNewVendor.ActiveConnection = objConn cmdNewVendor.CommandText = sqlNewVendor cmdNewVendor.CommandType = 1 cmdNewVendor.Parameters.Append cmdNewVendor.CreateParameter("@vendor", 200, 1, 50, newvendorname) cmdNewVendor.Execute If Err.Number <> 0 Then Set cmdNewVendor = Nothing objConn.Close ShowError "Error creating new vendor: " & Server.HTMLEncode(Err.Description), "addprinter.asp" Response.End End If Set cmdNewVendor = Nothing On Error Goto 0 ' Get the newly created vendor ID Dim rsNewVendor Set rsNewVendor = objConn.Execute("SELECT LAST_INSERT_ID() AS newid") newvendorid = 0 If Not rsNewVendor.EOF Then If Not IsNull(rsNewVendor("newid")) Then newvendorid = CLng(rsNewVendor("newid")) End If End If rsNewVendor.Close Set rsNewVendor = Nothing On Error Goto 0 End If ' Insert new model using parameterized query Dim sqlNewModel, cmdNewModel sqlNewModel = "INSERT INTO models (modelnumber, vendorid, notes, documentationpath, isactive) VALUES (?, ?, ?, ?, 1)" On Error Resume Next Set cmdNewModel = Server.CreateObject("ADODB.Command") cmdNewModel.ActiveConnection = objConn cmdNewModel.CommandText = sqlNewModel cmdNewModel.CommandType = 1 cmdNewModel.Parameters.Append cmdNewModel.CreateParameter("@modelnumber", 200, 1, 255, newmodelnumber) cmdNewModel.Parameters.Append cmdNewModel.CreateParameter("@vendorid", 3, 1, , CLng(newvendorid)) cmdNewModel.Parameters.Append cmdNewModel.CreateParameter("@notes", 200, 1, 255, newmodelnotes) cmdNewModel.Parameters.Append cmdNewModel.CreateParameter("@documentationpath", 200, 1, 255, newmodeldocpath) cmdNewModel.Execute If Err.Number <> 0 Then Set cmdNewModel = Nothing objConn.Close ShowError "Error creating new model: " & Server.HTMLEncode(Err.Description), "addprinter.asp" Response.End End If Set cmdNewModel = Nothing On Error Goto 0 ' Get the newly created model ID Dim rsNewModel Set rsNewModel = objConn.Execute("SELECT LAST_INSERT_ID() AS newid") modelid = 0 If Not rsNewModel.EOF Then If Not IsNull(rsNewModel("newid")) Then modelid = CLng(rsNewModel("newid")) End If End If rsNewModel.Close Set rsNewModel = Nothing On Error Goto 0 End If ' Handle map coordinates - default to 50 if not provided Dim maptopValue, mapleftValue If maptop <> "" And IsNumeric(maptop) Then maptopValue = CLng(maptop) Else maptopValue = 50 End If If mapleft <> "" And IsNumeric(mapleft) Then mapleftValue = CLng(mapleft) Else mapleftValue = 50 End If ' Insert printer using parameterized query Dim strSQL, cmdPrinter, machineIdValue ' Handle optional machineid - use NULL if not provided If machineid <> "" And IsNumeric(machineid) Then machineIdValue = CLng(machineid) Else machineIdValue = Null End If ' Handle optional PIN - use NULL if not provided Dim printerpinValue If printerpin <> "" Then printerpinValue = printerpin Else printerpinValue = Null End If strSQL = "INSERT INTO printers (modelid, serialnumber, ipaddress, fqdn, printercsfname, printerwindowsname, printerpin, machineid, maptop, mapleft, isactive) " & _ "VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, 1)" On Error Resume Next Set cmdPrinter = Server.CreateObject("ADODB.Command") cmdPrinter.ActiveConnection = objConn cmdPrinter.CommandText = strSQL cmdPrinter.CommandType = 1 cmdPrinter.Parameters.Append cmdPrinter.CreateParameter("@modelid", 3, 1, , CLng(modelid)) cmdPrinter.Parameters.Append cmdPrinter.CreateParameter("@serialnumber", 200, 1, 100, serialnumber) cmdPrinter.Parameters.Append cmdPrinter.CreateParameter("@ipaddress", 200, 1, 50, ipaddress) cmdPrinter.Parameters.Append cmdPrinter.CreateParameter("@fqdn", 200, 1, 255, fqdn) cmdPrinter.Parameters.Append cmdPrinter.CreateParameter("@printercsfname", 200, 1, 50, printercsfname) cmdPrinter.Parameters.Append cmdPrinter.CreateParameter("@printerwindowsname", 200, 1, 255, printerwindowsname) cmdPrinter.Parameters.Append cmdPrinter.CreateParameter("@printerpin", 200, 1, 10, printerpinValue) cmdPrinter.Parameters.Append cmdPrinter.CreateParameter("@machineid", 3, 1, , machineIdValue) cmdPrinter.Parameters.Append cmdPrinter.CreateParameter("@maptop", 3, 1, , maptopValue) cmdPrinter.Parameters.Append cmdPrinter.CreateParameter("@mapleft", 3, 1, , mapleftValue) cmdPrinter.Execute If Err.Number <> 0 Then Set cmdPrinter = Nothing objConn.Close ShowError "Error inserting printer: " & Server.HTMLEncode(Err.Description), "addprinter.asp" Response.End End If Set cmdPrinter = Nothing On Error Goto 0 ' Get the new printer ID Dim newPrinterId Set rsCheck = objConn.Execute("SELECT LAST_INSERT_ID() as newid") newPrinterId = 0 If Not rsCheck.EOF Then If Not IsNull(rsCheck("newid")) Then newPrinterId = CLng(rsCheck("newid")) End If End If rsCheck.Close Set rsCheck = Nothing objConn.Close If CLng(newPrinterId) > 0 Then ShowSuccess "Printer added successfully.", "displayprinter.asp?printerid=" & newPrinterId, "printer details" Else ShowError "Printer was not added successfully.", "addprinter.asp" End If %>