<% '============================================================================= ' SECURITY: Validate machineid from querystring '============================================================================= Dim machineid machineid = GetSafeInteger("QS", "machineid", 0, 1, 999999) If machineid = 0 Then Response.Write("") Response.Write("Go back") objConn.Close Response.End End If '============================================================================= ' SECURITY: Get and validate all form inputs '============================================================================= Dim modelid, machinetypeid, businessunitid, printerid, mapleft, maptop modelid = GetSafeString("FORM", "modelid", "", 1, 50, "") machinetypeid = GetSafeString("FORM", "machinetypeid", "", 1, 50, "") businessunitid = GetSafeString("FORM", "businessunitid", "", 1, 50, "") printerid = GetSafeInteger("FORM", "printerid", 0, 0, 999999) mapleft = GetSafeInteger("FORM", "mapleft", 0, 0, 9999) maptop = GetSafeInteger("FORM", "maptop", 0, 0, 9999) ' Get form inputs for new business unit Dim newbusinessunit newbusinessunit = GetSafeString("FORM", "newbusinessunitname", "", 0, 50, "") ' Get form inputs for new machine type Dim newmachinetype, newmachinedescription, newfunctionalaccountid newmachinetype = GetSafeString("FORM", "newmachinetypename", "", 0, 50, "") newmachinedescription = GetSafeString("FORM", "newmachinetypedescription", "", 0, 255, "") newfunctionalaccountid = GetSafeString("FORM", "newfunctionalaccountid", "", 0, 50, "") ' Get form inputs for new functional account Dim newfunctionalaccount newfunctionalaccount = GetSafeString("FORM", "newfunctionalaccountname", "", 0, 50, "") ' Get form inputs for new model Dim newmodelnumber, newvendorid, newmodelimage newmodelnumber = GetSafeString("FORM", "newmodelnumber", "", 0, 255, "") newvendorid = GetSafeString("FORM", "newvendorid", "", 0, 50, "") newmodelimage = GetSafeString("FORM", "newmodelimage", "", 0, 255, "") ' Get form inputs for new vendor Dim newvendorname newvendorname = GetSafeString("FORM", "newvendorname", "", 0, 50, "") '============================================================================= ' Validate required fields '============================================================================= If modelid <> "new" And (Not IsNumeric(modelid)) Then Response.Write("") Response.Write("Go back") objConn.Close Response.End End If If machinetypeid <> "new" And (Not IsNumeric(machinetypeid)) Then Response.Write("") Response.Write("Go back") objConn.Close Response.End End If If businessunitid <> "new" And (Not IsNumeric(businessunitid)) Then Response.Write("") Response.Write("Go back") objConn.Close Response.End End If '============================================================================= ' SECURITY: Handle new business unit creation with parameterized query '============================================================================= If businessunitid = "new" Then If Len(newbusinessunit) = 0 Then Response.Write("") Response.Write("Go back") objConn.Close Response.End End If ' Insert new business unit using parameterized query Dim sqlNewBU sqlNewBU = "INSERT INTO businessunits (businessunit, isactive) VALUES (?, 1)" On Error Resume Next Dim cmdNewBU Set cmdNewBU = Server.CreateObject("ADODB.Command") cmdNewBU.ActiveConnection = objConn cmdNewBU.CommandText = sqlNewBU cmdNewBU.CommandType = 1 cmdNewBU.Parameters.Append cmdNewBU.CreateParameter("@businessunit", 200, 1, 50, newbusinessunit) cmdNewBU.Execute If Err.Number <> 0 Then Response.Write("") Response.Write("Go back") objConn.Close Response.End End If ' Get the newly created business unit ID Dim rsNewBU Set rsNewBU = objConn.Execute("SELECT LAST_INSERT_ID() AS newid") businessunitid = 0 If Not rsNewBU.EOF Then If Not IsNull(rsNewBU("newid")) Then businessunitid = CLng(rsNewBU("newid")) End If End If rsNewBU.Close Set rsNewBU = Nothing Set cmdNewBU = Nothing On Error Goto 0 End If '============================================================================= ' SECURITY: Handle new machine type creation with parameterized query '============================================================================= If machinetypeid = "new" Then If Len(newmachinetype) = 0 Then Response.Write("") Response.Write("Go back") objConn.Close Response.End End If If Len(newfunctionalaccountid) = 0 Then Response.Write("") Response.Write("Go back") objConn.Close Response.End End If ' Handle new functional account creation (nested) If newfunctionalaccountid = "new" Then If Len(newfunctionalaccount) = 0 Then Response.Write("") Response.Write("Go back") objConn.Close Response.End End If ' Insert new functional account using parameterized query Dim sqlNewFA sqlNewFA = "INSERT INTO functionalaccounts (functionalaccount, isactive) VALUES (?, 1)" On Error Resume Next Dim cmdNewFA Set cmdNewFA = Server.CreateObject("ADODB.Command") cmdNewFA.ActiveConnection = objConn cmdNewFA.CommandText = sqlNewFA cmdNewFA.CommandType = 1 cmdNewFA.Parameters.Append cmdNewFA.CreateParameter("@functionalaccount", 200, 1, 50, newfunctionalaccount) cmdNewFA.Execute If Err.Number <> 0 Then Response.Write("") Response.Write("Go back") objConn.Close Response.End End If ' Get the newly created functional account ID Dim rsNewFA Set rsNewFA = objConn.Execute("SELECT LAST_INSERT_ID() AS newid") newfunctionalaccountid = 0 If Not rsNewFA.EOF Then If Not IsNull(rsNewFA("newid")) Then newfunctionalaccountid = CLng(rsNewFA("newid")) End If End If rsNewFA.Close Set rsNewFA = Nothing Set cmdNewFA = Nothing On Error Goto 0 End If ' Insert new machine type using parameterized query Dim sqlNewMT sqlNewMT = "INSERT INTO machinetypes (machinetype, machinedescription, functionalaccountid, isactive) VALUES (?, ?, ?, 1)" On Error Resume Next Dim cmdNewMT Set cmdNewMT = Server.CreateObject("ADODB.Command") cmdNewMT.ActiveConnection = objConn cmdNewMT.CommandText = sqlNewMT cmdNewMT.CommandType = 1 cmdNewMT.Parameters.Append cmdNewMT.CreateParameter("@machinetype", 200, 1, 50, newmachinetype) cmdNewMT.Parameters.Append cmdNewMT.CreateParameter("@machinedescription", 200, 1, 255, newmachinedescription) cmdNewMT.Parameters.Append cmdNewMT.CreateParameter("@functionalaccountid", 3, 1, , CLng(newfunctionalaccountid)) cmdNewMT.Execute If Err.Number <> 0 Then Response.Write("") Response.Write("Go back") objConn.Close Response.End End If ' Get the newly created machine type ID Dim rsNewMT Set rsNewMT = objConn.Execute("SELECT LAST_INSERT_ID() AS newid") machinetypeid = 0 If Not rsNewMT.EOF Then If Not IsNull(rsNewMT("newid")) Then machinetypeid = CLng(rsNewMT("newid")) End If End If rsNewMT.Close Set rsNewMT = Nothing Set cmdNewMT = Nothing On Error Goto 0 End If '============================================================================= ' SECURITY: Handle new model creation with parameterized query '============================================================================= If modelid = "new" Then If Len(newmodelnumber) = 0 Then Response.Write("") Response.Write("Go back") objConn.Close Response.End End If If Len(newvendorid) = 0 Then Response.Write("") Response.Write("Go back") objConn.Close Response.End End If ' Handle new vendor creation (nested) If newvendorid = "new" Then If Len(newvendorname) = 0 Then Response.Write("") Response.Write("Go back") objConn.Close Response.End End If ' Insert new vendor using parameterized query Dim sqlNewVendor sqlNewVendor = "INSERT INTO vendors (vendor, isactive, isprinter, ispc, ismachine) VALUES (?, 1, 0, 0, 1)" On Error Resume Next Dim cmdNewVendor Set cmdNewVendor = Server.CreateObject("ADODB.Command") cmdNewVendor.ActiveConnection = objConn cmdNewVendor.CommandText = sqlNewVendor cmdNewVendor.CommandType = 1 cmdNewVendor.Parameters.Append cmdNewVendor.CreateParameter("@vendor", 200, 1, 50, newvendorname) cmdNewVendor.Execute If Err.Number <> 0 Then Response.Write("") Response.Write("Go back") objConn.Close Response.End End If ' Get the newly created vendor ID Dim rsNewVendor Set rsNewVendor = objConn.Execute("SELECT LAST_INSERT_ID() AS newid") newvendorid = 0 If Not rsNewVendor.EOF Then If Not IsNull(rsNewVendor("newid")) Then newvendorid = CLng(rsNewVendor("newid")) End If End If rsNewVendor.Close Set rsNewVendor = Nothing Set cmdNewVendor = Nothing On Error Goto 0 End If ' Set default image if not specified If newmodelimage = "" Then newmodelimage = "default.png" End If ' Insert new model using parameterized query Dim sqlNewModel sqlNewModel = "INSERT INTO models (modelnumber, vendorid, image, isactive) VALUES (?, ?, ?, 1)" On Error Resume Next Dim cmdNewModel Set cmdNewModel = Server.CreateObject("ADODB.Command") cmdNewModel.ActiveConnection = objConn cmdNewModel.CommandText = sqlNewModel cmdNewModel.CommandType = 1 cmdNewModel.Parameters.Append cmdNewModel.CreateParameter("@modelnumber", 200, 1, 255, newmodelnumber) cmdNewModel.Parameters.Append cmdNewModel.CreateParameter("@vendorid", 3, 1, , CLng(newvendorid)) cmdNewModel.Parameters.Append cmdNewModel.CreateParameter("@image", 200, 1, 255, newmodelimage) cmdNewModel.Execute If Err.Number <> 0 Then Response.Write("") Response.Write("Go back") objConn.Close Response.End End If ' Get the newly created model ID Dim rsNewModel Set rsNewModel = objConn.Execute("SELECT LAST_INSERT_ID() AS newid") modelid = 0 If Not rsNewModel.EOF Then If Not IsNull(rsNewModel("newid")) Then modelid = CLng(rsNewModel("newid")) End If End If rsNewModel.Close Set rsNewModel = Nothing Set cmdNewModel = Nothing On Error Goto 0 End If '============================================================================= ' SECURITY: Update machine using parameterized query '============================================================================= ' Build UPDATE statement with parameterized query Dim strSQL, paramCount paramCount = 0 strSQL = "UPDATE machines SET modelnumberid = ?, machinetypeid = ?, businessunitid = ?" paramCount = 3 ' Add optional printerid If printerid > 0 Then strSQL = strSQL & ", printerid = ?" paramCount = paramCount + 1 End If ' Add optional map coordinates If mapleft > 0 And maptop > 0 Then strSQL = strSQL & ", mapleft = ?, maptop = ?" paramCount = paramCount + 2 End If strSQL = strSQL & " WHERE machineid = ?" On Error Resume Next Dim cmdUpdate Set cmdUpdate = Server.CreateObject("ADODB.Command") cmdUpdate.ActiveConnection = objConn cmdUpdate.CommandText = strSQL cmdUpdate.CommandType = 1 ' Add parameters in order cmdUpdate.Parameters.Append cmdUpdate.CreateParameter("@modelnumberid", 3, 1, , CLng(modelid)) cmdUpdate.Parameters.Append cmdUpdate.CreateParameter("@machinetypeid", 3, 1, , CLng(machinetypeid)) cmdUpdate.Parameters.Append cmdUpdate.CreateParameter("@businessunitid", 3, 1, , CLng(businessunitid)) If printerid > 0 Then cmdUpdate.Parameters.Append cmdUpdate.CreateParameter("@printerid", 3, 1, , CLng(printerid)) End If If mapleft > 0 And maptop > 0 Then cmdUpdate.Parameters.Append cmdUpdate.CreateParameter("@mapleft", 3, 1, , CLng(mapleft)) cmdUpdate.Parameters.Append cmdUpdate.CreateParameter("@maptop", 3, 1, , CLng(maptop)) End If cmdUpdate.Parameters.Append cmdUpdate.CreateParameter("@machineid", 3, 1, , CLng(machineid)) cmdUpdate.Execute If Err.Number <> 0 Then Response.Write("") Response.Write("Go back") Set cmdUpdate = Nothing objConn.Close Response.End End If Set cmdUpdate = Nothing On Error Goto 0 %> <% '============================================================================= ' CLEANUP '============================================================================= objConn.Close %>