<% '============================================================================= ' FILE: savedevice_direct.asp ' PURPOSE: Create new PC/device with minimal required fields ' SECURITY: Parameterized queries, HTML encoding, input validation ' UPDATED: 2025-10-27 - Migrated to secure patterns '============================================================================= %> <% ' Get the serial number from the form Dim serialnumber serialnumber = Trim(Request.Form("serialnumber")) ' Basic validation - serial number should not be empty and should be alphanumeric-ish If serialnumber = "" Or Len(serialnumber) < 3 Or Len(serialnumber) > 100 Then objConn.Close Response.Redirect("./adddevice.asp?error=INVALID_SERIAL") Response.End End If ' Check if serial number already exists - PHASE 2: Use machines table Dim checkSQL, rsCheck, cmdCheck, existingMachineID checkSQL = "SELECT machineid FROM machines WHERE serialnumber = ? AND pctypeid IS NOT NULL" Set cmdCheck = Server.CreateObject("ADODB.Command") cmdCheck.ActiveConnection = objConn cmdCheck.CommandText = checkSQL cmdCheck.CommandType = 1 cmdCheck.Parameters.Append cmdCheck.CreateParameter("@serialnumber", 200, 1, 100, serialnumber) Set rsCheck = cmdCheck.Execute If Not rsCheck.EOF Then ' Serial number already exists - redirect to edit page existingMachineID = rsCheck("machineid") rsCheck.Close Set rsCheck = Nothing Set cmdCheck = Nothing objConn.Close Response.Redirect("./editdevice.asp?pcid=" & existingMachineID & "&scanned=1") Response.End End If rsCheck.Close Set rsCheck = Nothing Set cmdCheck = Nothing ' Insert new device with minimal required fields - PHASE 2: Use machines table ' machinestatusid = 2 (Inventory) ' isactive = 1 ' modelnumberid = 1 (default model) ' requires_manual_machine_config = 0 (no manual config needed) ' osid = 1 (default OS) ' machinetypeid = 33 (Standard PC) ' pctypeid = 1 (Standard PC type) ' machinenumber = 'IT Closet' (default location for new devices) Dim insertSQL, cmdInsert insertSQL = "INSERT INTO machines (serialnumber, machinestatusid, isactive, modelnumberid, requires_manual_machine_config, osid, machinetypeid, pctypeid, machinenumber, lastupdated) " & _ "VALUES (?, 2, 1, 1, 0, 1, 33, 1, 'IT Closet', NOW())" Set cmdInsert = Server.CreateObject("ADODB.Command") cmdInsert.ActiveConnection = objConn cmdInsert.CommandText = insertSQL cmdInsert.CommandType = 1 cmdInsert.Parameters.Append cmdInsert.CreateParameter("@serialnumber", 200, 1, 100, serialnumber) On Error Resume Next cmdInsert.Execute If Err.Number = 0 Then Set cmdInsert = Nothing objConn.Close ' Success - redirect back with success message Response.Redirect("./adddevice.asp?added=" & Server.URLEncode(Request.Form("serialnumber"))) Else Set cmdInsert = Nothing objConn.Close Response.Redirect("./adddevice.asp?error=db") End If %>