<% '============================================================================= ' FILE: savevendor_direct.asp ' PURPOSE: Create new vendor with type flags ' SECURITY: Parameterized queries, HTML encoding, input validation ' UPDATED: 2025-10-27 - Migrated to secure patterns '============================================================================= %>
<% Dim vendor, isprinter, ispc, ismachine vendor = Trim(Request.Form("vendor")) isprinter = Request.Form("isprinter") ispc = Request.Form("ispc") ismachine = Request.Form("ismachine") ' Validate If vendor = "" Then Response.Write("
Error: Manufacturer name is required.
") Response.Write("Go back") objConn.Close Response.End End If If Len(vendor) > 50 Then Response.Write("
Error: Manufacturer name too long.
") Response.Write("Go back") objConn.Close Response.End End If If isprinter <> "1" AND ispc <> "1" AND ismachine <> "1" Then Response.Write("
Error: Please select at least one category.
") Response.Write("Go back") objConn.Close Response.End End If ' Check if vendor exists using parameterized query Dim checkSQL, rsCheck, cmdCheck checkSQL = "SELECT COUNT(*) as cnt FROM vendors WHERE LOWER(vendor) = LOWER(?)" Set cmdCheck = Server.CreateObject("ADODB.Command") cmdCheck.ActiveConnection = objConn cmdCheck.CommandText = checkSQL cmdCheck.CommandType = 1 cmdCheck.Parameters.Append cmdCheck.CreateParameter("@vendor", 200, 1, 50, vendor) Set rsCheck = cmdCheck.Execute If Not rsCheck.EOF Then If Not IsNull(rsCheck("cnt")) Then If CLng(rsCheck("cnt")) > 0 Then rsCheck.Close Set rsCheck = Nothing Set cmdCheck = Nothing Response.Write("
Error: Manufacturer '" & Server.HTMLEncode(vendor) & "' already exists.
") Response.Write("Go back") objConn.Close Response.End End If End If End If rsCheck.Close Set rsCheck = Nothing Set cmdCheck = Nothing ' Convert checkboxes Dim iPrint, iPC, iMach If isprinter = "1" Then iPrint = 1 Else iPrint = 0 If ispc = "1" Then iPC = 1 Else iPC = 0 If ismachine = "1" Then iMach = 1 Else iMach = 0 ' INSERT using parameterized query Dim vendorSQL, cmdVendor vendorSQL = "INSERT INTO vendors (vendor, isactive, isprinter, ispc, ismachine) VALUES (?, 1, ?, ?, ?)" Set cmdVendor = Server.CreateObject("ADODB.Command") cmdVendor.ActiveConnection = objConn cmdVendor.CommandText = vendorSQL cmdVendor.CommandType = 1 cmdVendor.Parameters.Append cmdVendor.CreateParameter("@vendor", 200, 1, 50, vendor) cmdVendor.Parameters.Append cmdVendor.CreateParameter("@isprinter", 3, 1, , iPrint) cmdVendor.Parameters.Append cmdVendor.CreateParameter("@ispc", 3, 1, , iPC) cmdVendor.Parameters.Append cmdVendor.CreateParameter("@ismachine", 3, 1, , iMach) On Error Resume Next cmdVendor.Execute If Err.Number <> 0 Then Response.Write("
Error: " & Server.HTMLEncode(Err.Description) & "
") Response.Write("Go back") Set cmdVendor = Nothing objConn.Close Response.End End If Set cmdVendor = Nothing On Error Goto 0 ' Get the newly created vendor ID Set rsCheck = objConn.Execute("SELECT LAST_INSERT_ID() as newid") Dim newVendorId newVendorId = 0 If Not rsCheck.EOF Then If Not IsNull(rsCheck("newid")) Then newVendorId = CLng(rsCheck("newid")) End If End If rsCheck.Close Set rsCheck = Nothing objConn.Close If newVendorId > 0 Then Response.Write("
Manufacturer added successfully!
") Response.Write("

Manufacturer '" & Server.HTMLEncode(Request.Form("vendor")) & "' has been added.

") Response.Write("

Add Another Manufacturer ") Response.Write("Add Model

") Else Response.Write("
Error: Manufacturer was not added.
") Response.Write("Go back") End If %>