<%
'=============================================================================
' FILE: savedevice_direct.asp
' PURPOSE: Create new PC/device with minimal required fields
' SECURITY: Parameterized queries, HTML encoding, input validation
' UPDATED: 2025-10-27 - Migrated to secure patterns
'=============================================================================
%>
<!--#include file="./includes/sql.asp"-->
<%
	' Get the serial number from the form
	Dim serialnumber
	serialnumber = Trim(Request.Form("serialnumber"))

	' Basic validation - serial number should not be empty and should be alphanumeric-ish
	If serialnumber = "" Or Len(serialnumber) < 3 Or Len(serialnumber) > 100 Then
		objConn.Close
		Response.Redirect("./adddevice.asp?error=INVALID_SERIAL")
		Response.End
	End If

	' Check if serial number already exists using parameterized query
	Dim checkSQL, rsCheck, cmdCheck, existingPCID
	checkSQL = "SELECT pcid FROM pc WHERE serialnumber = ?"
	Set cmdCheck = Server.CreateObject("ADODB.Command")
	cmdCheck.ActiveConnection = objConn
	cmdCheck.CommandText = checkSQL
	cmdCheck.CommandType = 1
	cmdCheck.Parameters.Append cmdCheck.CreateParameter("@serialnumber", 200, 1, 100, serialnumber)

	Set rsCheck = cmdCheck.Execute

	If Not rsCheck.EOF Then
		' Serial number already exists - redirect to edit page
		existingPCID = rsCheck("pcid")
		rsCheck.Close
		Set rsCheck = Nothing
		Set cmdCheck = Nothing
		objConn.Close
		Response.Redirect("./editdevice.asp?pcid=" & existingPCID & "&scanned=1")
		Response.End
	End If

	rsCheck.Close
	Set rsCheck = Nothing
	Set cmdCheck = Nothing

	' Insert new device with minimal required fields and defaults using parameterized query
	' pcstatusid = 2 (Inventory)
	' isactive = 1
	' modelnumberid = 1 (default model)
	' requires_manual_machine_config = 0 (no manual config needed)
	' osid = 1 (default OS)
	' machinenumber = 'IT Closet' (default location for new devices)
	Dim insertSQL, cmdInsert
	insertSQL = "INSERT INTO pc (serialnumber, pcstatusid, isactive, modelnumberid, requires_manual_machine_config, osid, machinenumber, dateadded) " & _
				"VALUES (?, 2, 1, 1, 0, 1, 'IT Closet', NOW())"
	Set cmdInsert = Server.CreateObject("ADODB.Command")
	cmdInsert.ActiveConnection = objConn
	cmdInsert.CommandText = insertSQL
	cmdInsert.CommandType = 1
	cmdInsert.Parameters.Append cmdInsert.CreateParameter("@serialnumber", 200, 1, 100, serialnumber)

	On Error Resume Next
	cmdInsert.Execute

	If Err.Number = 0 Then
		Set cmdInsert = Nothing
		objConn.Close
		' Success - redirect back with success message
		Response.Redirect("./adddevice.asp?added=" & Server.URLEncode(Request.Form("serialnumber")))
	Else
		Set cmdInsert = Nothing
		objConn.Close
		Response.Redirect("./adddevice.asp?error=db")
	End If
%>