<% '============================================================================= ' FILE: updatepc_direct.asp ' PURPOSE: Update PC/device with optional vendor and model creation ' SECURITY: Parameterized queries, HTML encoding, input validation ' UPDATED: 2025-10-27 - Migrated to secure patterns '============================================================================= %> <% ' Get form data Dim pcid, vendorid, modelnumberid, machinenumber pcid = Trim(Request.Form("pcid")) vendorid = Trim(Request.Form("vendorid")) modelnumberid = Trim(Request.Form("modelid")) machinenumber = Trim(Request.Form("machinenumber")) ' Get form inputs for new model Dim newmodelnumber, newvendorid newmodelnumber = Trim(Request.Form("newpcmodelnumber")) newvendorid = Trim(Request.Form("newpcmodelvendorid")) ' Get form inputs for new vendor Dim newvendorname newvendorname = Trim(Request.Form("newpcvendorname")) ' Validate required ID fields If pcid = "" Or Not IsNumeric(pcid) Then Response.Write("Invalid PC ID") objConn.Close Response.End End If If CLng(pcid) < 1 Then Response.Write("Invalid PC ID") objConn.Close Response.End End If ' Verify the PC exists using parameterized query Dim checkSQL, rsCheck, cmdCheck checkSQL = "SELECT COUNT(*) as cnt FROM pc WHERE pcid = ?" Set cmdCheck = Server.CreateObject("ADODB.Command") cmdCheck.ActiveConnection = objConn cmdCheck.CommandText = checkSQL cmdCheck.CommandType = 1 cmdCheck.Parameters.Append cmdCheck.CreateParameter("@pcid", 3, 1, , CLng(pcid)) Set rsCheck = cmdCheck.Execute If Not rsCheck.EOF Then If CLng(rsCheck("cnt")) = 0 Then rsCheck.Close Set rsCheck = Nothing Set cmdCheck = Nothing objConn.Close Response.Redirect("displaypcs.asp") Response.End End If End If rsCheck.Close Set rsCheck = Nothing Set cmdCheck = Nothing ' Validate optional ID fields - allow "new" as a valid value for model and vendor If vendorid <> "" And vendorid <> "new" Then If Not IsNumeric(vendorid) Or CLng(vendorid) < 1 Then Response.Redirect("displaypc.asp?pcid=" & pcid & "&error=INVALID_ID") objConn.Close Response.End End If End If If modelnumberid <> "" And modelnumberid <> "new" Then If Not IsNumeric(modelnumberid) Or CLng(modelnumberid) < 1 Then Response.Redirect("displaypc.asp?pcid=" & pcid & "&error=INVALID_ID") objConn.Close Response.End End If End If ' Handle new vendor creation If vendorid = "new" Then If Len(newvendorname) = 0 Then Response.Redirect("displaypc.asp?pcid=" & pcid & "&error=REQUIRED_FIELD") objConn.Close Response.End End If If Len(newvendorname) > 50 Then Response.Redirect("displaypc.asp?pcid=" & pcid & "&error=INVALID_INPUT") objConn.Close Response.End End If ' Insert new vendor using parameterized query (with ispc=1) Dim sqlNewVendor, cmdNewVendor sqlNewVendor = "INSERT INTO vendors (vendor, isactive, isprinter, ispc, ismachine) VALUES (?, 1, 0, 1, 0)" Set cmdNewVendor = Server.CreateObject("ADODB.Command") cmdNewVendor.ActiveConnection = objConn cmdNewVendor.CommandText = sqlNewVendor cmdNewVendor.CommandType = 1 cmdNewVendor.Parameters.Append cmdNewVendor.CreateParameter("@vendor", 200, 1, 50, newvendorname) On Error Resume Next cmdNewVendor.Execute If Err.Number <> 0 Then Response.Redirect("displaypc.asp?pcid=" & pcid & "&error=db&msg=" & Server.URLEncode(Server.HTMLEncode(Err.Description))) Set cmdNewVendor = Nothing objConn.Close Response.End End If ' Get the newly created vendor ID Dim rsNewVendor Set rsNewVendor = objConn.Execute("SELECT LAST_INSERT_ID() AS newid") vendorid = CLng(rsNewVendor("newid")) rsNewVendor.Close Set rsNewVendor = Nothing Set cmdNewVendor = Nothing On Error Goto 0 End If ' Handle new model creation If modelnumberid = "new" Then If Len(newmodelnumber) = 0 Then Response.Redirect("displaypc.asp?pcid=" & pcid & "&error=REQUIRED_FIELD") objConn.Close Response.End End If If Len(newvendorid) = 0 Then Response.Redirect("displaypc.asp?pcid=" & pcid & "&error=REQUIRED_FIELD") objConn.Close Response.End End If If Len(newmodelnumber) > 50 Then Response.Redirect("displaypc.asp?pcid=" & pcid & "&error=INVALID_INPUT") objConn.Close Response.End End If ' If vendor was also created new, use that vendor ID If vendorid <> "" And IsNumeric(vendorid) Then newvendorid = vendorid End If ' Insert new model using parameterized query Dim sqlNewModel, cmdNewModel sqlNewModel = "INSERT INTO models (modelnumber, vendorid, isactive) VALUES (?, ?, 1)" Set cmdNewModel = Server.CreateObject("ADODB.Command") cmdNewModel.ActiveConnection = objConn cmdNewModel.CommandText = sqlNewModel cmdNewModel.CommandType = 1 cmdNewModel.Parameters.Append cmdNewModel.CreateParameter("@modelnumber", 200, 1, 50, newmodelnumber) cmdNewModel.Parameters.Append cmdNewModel.CreateParameter("@vendorid", 3, 1, , CLng(newvendorid)) On Error Resume Next cmdNewModel.Execute If Err.Number <> 0 Then Response.Redirect("displaypc.asp?pcid=" & pcid & "&error=db&msg=" & Server.URLEncode(Server.HTMLEncode(Err.Description))) Set cmdNewModel = Nothing objConn.Close Response.End End If ' Get the newly created model ID Dim rsNewModel Set rsNewModel = objConn.Execute("SELECT LAST_INSERT_ID() AS newid") modelnumberid = CLng(rsNewModel("newid")) rsNewModel.Close Set rsNewModel = Nothing Set cmdNewModel = Nothing On Error Goto 0 End If ' Validate machine number length If machinenumber <> "" And Len(machinenumber) > 50 Then Response.Redirect("displaypc.asp?pcid=" & pcid & "&error=INVALID_INPUT") objConn.Close Response.End End If ' Build UPDATE statement for PC using parameterized query Dim strSQL, cmdUpdate strSQL = "UPDATE pc SET modelnumberid = ?, machinenumber = ?, lastupdated = NOW() WHERE pcid = ?" Set cmdUpdate = Server.CreateObject("ADODB.Command") cmdUpdate.ActiveConnection = objConn cmdUpdate.CommandText = strSQL cmdUpdate.CommandType = 1 ' Handle optional modelnumberid If modelnumberid <> "" And IsNumeric(modelnumberid) Then cmdUpdate.Parameters.Append cmdUpdate.CreateParameter("@modelnumberid", 3, 1, , CLng(modelnumberid)) Else cmdUpdate.Parameters.Append cmdUpdate.CreateParameter("@modelnumberid", 3, 1, , Null) End If ' Handle optional machinenumber If machinenumber <> "" Then cmdUpdate.Parameters.Append cmdUpdate.CreateParameter("@machinenumber", 200, 1, 50, machinenumber) Else cmdUpdate.Parameters.Append cmdUpdate.CreateParameter("@machinenumber", 200, 1, 50, Null) End If cmdUpdate.Parameters.Append cmdUpdate.CreateParameter("@pcid", 3, 1, , CLng(pcid)) On Error Resume Next cmdUpdate.Execute If Err.Number <> 0 Then Response.Redirect("displaypc.asp?pcid=" & pcid & "&error=db") Set cmdUpdate = Nothing objConn.Close Response.End End If Set cmdUpdate = Nothing objConn.Close ' Success - redirect back to displaypc Response.Redirect("./displaypc.asp?pcid=" & pcid) %>