<%
'=============================================================================
' FILE: editapplicationdirect.asp
' PURPOSE: Edit application with nested entity creation
' SECURITY: Parameterized queries, HTML encoding, input validation
' UPDATED: 2025-10-27 - Migrated to secure patterns
'=============================================================================
%>
<%
' Get all form data
Dim appid, appname, appdescription, supportteamid
Dim applicationnotes, installpath, applicationlink, documentationpath, image
Dim isinstallable, isactive, ishidden, isprinter, islicenced
Dim newsupportteamname, newsupportteamurl, newappownerid
appid = Request.Form("appid")
appname = Trim(Request.Form("appname"))
appdescription = Trim(Request.Form("appdescription"))
supportteamid = Trim(Request.Form("supportteamid"))
applicationnotes = Trim(Request.Form("applicationnotes"))
installpath = Trim(Request.Form("installpath"))
applicationlink = Trim(Request.Form("applicationlink"))
documentationpath = Trim(Request.Form("documentationpath"))
image = Trim(Request.Form("image"))
' New support team fields
newsupportteamname = Trim(Request.Form("newsupportteamname"))
newsupportteamurl = Trim(Request.Form("newsupportteamurl"))
newappownerid = Trim(Request.Form("newappownerid"))
' Checkboxes - ensure they are always integers 0 or 1
If Request.Form("isinstallable") = "1" Then
isinstallable = 1
Else
isinstallable = 0
End If
If Request.Form("isactive") = "1" Then
isactive = 1
Else
isactive = 0
End If
If Request.Form("ishidden") = "1" Then
ishidden = 1
Else
ishidden = 0
End If
If Request.Form("isprinter") = "1" Then
isprinter = 1
Else
isprinter = 0
End If
If Request.Form("islicenced") = "1" Then
islicenced = 1
Else
islicenced = 0
End If
' Check if we need to create a new support team first
If supportteamid = "new" Then
If newsupportteamname = "" Then
Response.Write("Error: Support team name is required.
")
Response.Write("Go back")
objConn.Close
Response.End
End If
If Len(newsupportteamname) > 50 Then
Response.Write("Error: Support team name too long.
")
Response.Write("Go back")
objConn.Close
Response.End
End If
' Check if support team already exists using parameterized query
Dim checkSQL, rsCheck, cmdCheck
checkSQL = "SELECT COUNT(*) as cnt FROM supportteams WHERE LOWER(teamname) = LOWER(?)"
Set cmdCheck = Server.CreateObject("ADODB.Command")
cmdCheck.ActiveConnection = objConn
cmdCheck.CommandText = checkSQL
cmdCheck.CommandType = 1
cmdCheck.Parameters.Append cmdCheck.CreateParameter("@teamname", 200, 1, 50, newsupportteamname)
Set rsCheck = cmdCheck.Execute
If rsCheck.EOF Then
rsCheck.Close
Response.Write("Error: Database query failed.
")
Response.Write("Go back")
objConn.Close
Response.End
End If
If Not IsNull(rsCheck("cnt")) Then
If CLng(rsCheck("cnt")) > 0 Then
rsCheck.Close
Set cmdCheck = Nothing
Response.Write("Error: Support team '" & Server.HTMLEncode(newsupportteamname) & "' already exists.
")
Response.Write("Go back")
objConn.Close
Response.End
End If
End If
rsCheck.Close
Set cmdCheck = Nothing
' Check if we need to create a new app owner first (nested creation)
If newappownerid = "new" Then
Dim newappownername, newappownersso
newappownername = Trim(Request.Form("newappownername"))
newappownersso = Trim(Request.Form("newappownersso"))
If newappownername = "" Or newappownersso = "" Then
Response.Write("Error: App owner name and SSO are required.
")
Response.Write("Go back")
objConn.Close
Response.End
End If
If Len(newappownername) > 50 Or Len(newappownersso) > 50 Then
Response.Write("Error: App owner name or SSO too long.
")
Response.Write("Go back")
objConn.Close
Response.End
End If
' Check if app owner already exists using parameterized query
checkSQL = "SELECT COUNT(*) as cnt FROM appowners WHERE LOWER(appowner) = LOWER(?) OR LOWER(sso) = LOWER(?)"
Set cmdCheck = Server.CreateObject("ADODB.Command")
cmdCheck.ActiveConnection = objConn
cmdCheck.CommandText = checkSQL
cmdCheck.CommandType = 1
cmdCheck.Parameters.Append cmdCheck.CreateParameter("@appowner", 200, 1, 50, newappownername)
cmdCheck.Parameters.Append cmdCheck.CreateParameter("@sso", 200, 1, 255, newappownersso)
Set rsCheck = cmdCheck.Execute
If rsCheck.EOF Then
rsCheck.Close
Response.Write("Error: Database query failed (app owner check).
")
Response.Write("Go back")
objConn.Close
Response.End
End If
If Not IsNull(rsCheck("cnt")) Then
If CLng(rsCheck("cnt")) > 0 Then
rsCheck.Close
Set cmdCheck = Nothing
Response.Write("Error: App owner with this name or SSO already exists.
")
Response.Write("Go back")
objConn.Close
Response.End
End If
End If
rsCheck.Close
Set cmdCheck = Nothing
' Insert new app owner using parameterized query
Dim ownerSQL, cmdOwner
ownerSQL = "INSERT INTO appowners (appowner, sso, isactive) VALUES (?, ?, 1)"
On Error Resume Next
Set cmdOwner = Server.CreateObject("ADODB.Command")
cmdOwner.ActiveConnection = objConn
cmdOwner.CommandText = ownerSQL
cmdOwner.CommandType = 1
cmdOwner.Parameters.Append cmdOwner.CreateParameter("@appowner", 200, 1, 50, newappownername)
cmdOwner.Parameters.Append cmdOwner.CreateParameter("@sso", 200, 1, 255, newappownersso)
cmdOwner.Execute
If Err.Number <> 0 Then
Response.Write("Error creating app owner: " & Server.HTMLEncode(Err.Description) & "
")
Response.Write("Go back")
Set cmdOwner = Nothing
objConn.Close
Response.End
End If
Set cmdOwner = Nothing
On Error Goto 0
' Get the new app owner ID
Set rsCheck = objConn.Execute("SELECT LAST_INSERT_ID() as newid")
newappownerid = 0
If Not rsCheck.EOF Then
If Not IsNull(rsCheck("newid")) Then
newappownerid = CLng(rsCheck("newid"))
End If
End If
rsCheck.Close
Else
' Validate existing app owner ID (only if not empty and not "new")
If newappownerid <> "" And newappownerid <> "new" Then
If Not IsNumeric(newappownerid) Or CLng(newappownerid) < 1 Then
Response.Write("Error: Invalid app owner.
")
Response.Write("Go back")
objConn.Close
Response.End
End If
End If
End If
' Insert new support team using parameterized query
Dim teamSQL, cmdTeam
teamSQL = "INSERT INTO supportteams (teamname, teamurl, appownerid, isactive) VALUES (?, ?, ?, 1)"
On Error Resume Next
Set cmdTeam = Server.CreateObject("ADODB.Command")
cmdTeam.ActiveConnection = objConn
cmdTeam.CommandText = teamSQL
cmdTeam.CommandType = 1
cmdTeam.Parameters.Append cmdTeam.CreateParameter("@teamname", 200, 1, 50, newsupportteamname)
cmdTeam.Parameters.Append cmdTeam.CreateParameter("@teamurl", 200, 1, 255, newsupportteamurl)
cmdTeam.Parameters.Append cmdTeam.CreateParameter("@appownerid", 3, 1, , CLng(newappownerid))
cmdTeam.Execute
If Err.Number <> 0 Then
Response.Write("Error creating support team: " & Server.HTMLEncode(Err.Description) & "
")
Response.Write("Go back")
Set cmdTeam = Nothing
objConn.Close
Response.End
End If
Set cmdTeam = Nothing
On Error Goto 0
' Get the new support team ID
Set rsCheck = objConn.Execute("SELECT LAST_INSERT_ID() as newid")
supportteamid = 0
If Not rsCheck.EOF Then
If Not IsNull(rsCheck("newid")) Then
supportteamid = CLng(rsCheck("newid"))
End If
End If
rsCheck.Close
Else
' Validate existing support team ID (only if not empty and not "new")
If supportteamid <> "" And supportteamid <> "new" Then
If Not IsNumeric(supportteamid) Or CLng(supportteamid) < 1 Then
Response.Write("Error: Invalid support team ID.
")
Response.Write("Go back")
objConn.Close
Response.End
End If
End If
End If
' Update application using parameterized query
Dim strSQL, cmdApp
strSQL = "UPDATE applications SET " & _
"appname = ?, appdescription = ?, supportteamid = ?, applicationnotes = ?, " & _
"installpath = ?, applicationlink = ?, documentationpath = ?, image = ?, " & _
"isinstallable = ?, isactive = ?, ishidden = ?, isprinter = ?, islicenced = ? " & _
"WHERE appid = ?"
On Error Resume Next
Set cmdApp = Server.CreateObject("ADODB.Command")
cmdApp.ActiveConnection = objConn
cmdApp.CommandText = strSQL
cmdApp.CommandType = 1
' Add parameters in order
cmdApp.Parameters.Append cmdApp.CreateParameter("@appname", 200, 1, 50, appname)
cmdApp.Parameters.Append cmdApp.CreateParameter("@appdescription", 200, 1, 255, appdescription)
cmdApp.Parameters.Append cmdApp.CreateParameter("@supportteamid", 3, 1, , CLng(supportteamid))
cmdApp.Parameters.Append cmdApp.CreateParameter("@applicationnotes", 200, 1, 512, applicationnotes)
cmdApp.Parameters.Append cmdApp.CreateParameter("@installpath", 200, 1, 255, installpath)
cmdApp.Parameters.Append cmdApp.CreateParameter("@applicationlink", 200, 1, 512, applicationlink)
cmdApp.Parameters.Append cmdApp.CreateParameter("@documentationpath", 200, 1, 512, documentationpath)
cmdApp.Parameters.Append cmdApp.CreateParameter("@image", 200, 1, 255, image)
cmdApp.Parameters.Append cmdApp.CreateParameter("@isinstallable", 11, 1, , CBool(isinstallable))
cmdApp.Parameters.Append cmdApp.CreateParameter("@isactive", 11, 1, , CBool(isactive))
cmdApp.Parameters.Append cmdApp.CreateParameter("@ishidden", 11, 1, , CBool(ishidden))
cmdApp.Parameters.Append cmdApp.CreateParameter("@isprinter", 11, 1, , CBool(isprinter))
cmdApp.Parameters.Append cmdApp.CreateParameter("@islicenced", 11, 1, , CBool(islicenced))
cmdApp.Parameters.Append cmdApp.CreateParameter("@appid", 3, 1, , CLng(appid))
cmdApp.Execute
If Err.Number = 0 Then
Set cmdApp = Nothing
objConn.Close
Response.Redirect("displayapplication.asp?appid=" & appid)
Else
Response.Write("Error: " & Server.HTMLEncode(Err.Description))
Set cmdApp = Nothing
objConn.Close
End If
On Error Goto 0
%>