<% '============================================================================= ' FILE: displaymachine.asp ' PURPOSE: Display detailed machine information with edit capability ' SECURITY: Parameterized queries, HTML encoding, input validation ' UPDATED: 2025-10-27 - Migrated to secure patterns '============================================================================= %> <% theme = Request.Cookies("theme") If theme = "" Then theme = "bg-theme1" End If '============================================================================= ' SECURITY: Validate machineid or machinenumber parameter ' NOTE: This handles both database ID and machine number for flexibility '============================================================================= Dim machineid, machinenumber, paramValue ' Accept both machineid and pcid parameters for backwards compatibility machineid = GetSafeInteger("QS", "machineid", 0, 1, 999999) If machineid = 0 Then machineid = GetSafeInteger("QS", "pcid", 0, 1, 999999) ' If machineid not provided, try machinenumber parameter IF machineid = 0 THEN machinenumber = Request.QueryString("machinenumber") IF machinenumber <> "" THEN ' Look up machineid by machinenumber Dim rsLookup, strLookupSQL strLookupSQL = "SELECT machineid FROM machines WHERE machinenumber = ? AND isactive = 1" Set rsLookup = ExecuteParameterizedQuery(objConn, strLookupSQL, Array(machinenumber)) IF NOT rsLookup.EOF THEN machineid = rsLookup("machineid") END IF rsLookup.Close Set rsLookup = Nothing END IF ELSE ' We have a machineid, but it might actually be a machine number ' Try to look it up as a machineid first Dim rsCheck strLookupSQL = "SELECT machineid FROM machines WHERE machineid = ? AND isactive = 1" Set rsCheck = ExecuteParameterizedQuery(objConn, strLookupSQL, Array(machineid)) ' If no machine found with that machineid, try treating it as a machine number IF rsCheck.EOF THEN rsCheck.Close strLookupSQL = "SELECT machineid FROM machines WHERE machinenumber = ? AND isactive = 1" Set rsCheck = ExecuteParameterizedQuery(objConn, strLookupSQL, Array(CStr(machineid))) IF NOT rsCheck.EOF THEN machineid = rsCheck("machineid") ELSE machineid = 0 ' Not found END IF END IF rsCheck.Close Set rsCheck = Nothing END IF IF machineid = 0 THEN objConn.Close Response.Redirect("default.asp") Response.End END IF '============================================================================= ' SECURITY: Use parameterized query to prevent SQL injection ' PHASE 2: Removed pc and networkinterfaces tables (migrated to machines) ' NOTE: Use explicit column names to avoid wildcard conflicts between tables '============================================================================= ' Phase 2: Only query columns that actually exist in machines table strSQL = "SELECT machines.machineid, machines.machinenumber, machines.alias, machines.hostname, " & _ "machines.serialnumber, machines.machinenotes, machines.mapleft, machines.maptop, " & _ "machines.modelnumberid, machines.businessunitid, machines.printerid, machines.pctypeid, " & _ "machines.loggedinuser, machines.osid, machines.machinestatusid, machines.isvnc, machines.iswinrm, " & _ "machines.controllertypeid, machines.controllerosid, machines.requires_manual_machine_config, " & _ "machines.lastupdated, machines.lastboottime, " & _ "DATEDIFF(NOW(), machines.lastboottime) AS uptime_days, " & _ "machinetypes.machinetype, machinetypes.machinetypeid, " & _ "pctype.typename AS pctypename, " & _ "machinestatus.machinestatus, " & _ "models.modelnumber, models.image, models.modelnumberid, " & _ "businessunits.businessunit, businessunits.businessunitid, " & _ "functionalaccounts.functionalaccount, functionalaccounts.functionalaccountid, " & _ "vendors.vendor, vendors.vendorid, " & _ "printers.ipaddress AS printerip, printers.printerid AS printer_id, " & _ "printers.printercsfname, printers.printerwindowsname " & _ "FROM machines " & _ "INNER JOIN models ON machines.modelnumberid = models.modelnumberid " & _ "LEFT JOIN machinetypes ON models.machinetypeid = machinetypes.machinetypeid " & _ "LEFT JOIN machinestatus ON machines.machinestatusid = machinestatus.machinestatusid " & _ "INNER JOIN businessunits ON machines.businessunitid = businessunits.businessunitid " & _ "LEFT JOIN functionalaccounts ON machinetypes.functionalaccountid = functionalaccounts.functionalaccountid " & _ "INNER JOIN vendors ON models.vendorid = vendors.vendorid " & _ "LEFT JOIN printers ON machines.printerid = printers.printerid " & _ "LEFT JOIN pctype ON machines.pctypeid = pctype.pctypeid " & _ "WHERE machines.machineid = " & CLng(machineid) & " AND machines.pctypeid IS NOT NULL" Set rs = objConn.Execute(strSQL) ' Check if machine exists If rs.EOF Then rs.Close Set rs = Nothing objConn.Close Response.Redirect("default.asp") Response.End End If ' Fallback: If PC doesn't have location set, get it from controlled machine Dim pcMapleft, pcMaptop pcMapleft = rs("mapleft") pcMaptop = rs("maptop") If (IsNull(pcMapleft) OR pcMapleft = "" OR pcMapleft = 0) AND (IsNull(pcMaptop) OR pcMaptop = "" OR pcMaptop = 0) Then ' PC has no location, try to get from controlled machine Dim rsControlledMachine Dim controlledSQL controlledSQL = "SELECT m.mapleft, m.maptop, m.machinenumber " & _ "FROM machinerelationships mr " & _ "JOIN relationshiptypes rt ON mr.relationshiptypeid = rt.relationshiptypeid " & _ "JOIN machines m ON mr.machineid = m.machineid " & _ "WHERE mr.related_machineid = " & CLng(machineid) & " AND rt.relationshiptype = 'Controls' " & _ "AND m.mapleft IS NOT NULL AND m.maptop IS NOT NULL AND m.mapleft > 0 AND m.maptop > 0 " & _ "LIMIT 1" Set rsControlledMachine = objConn.Execute(controlledSQL) If NOT rsControlledMachine.EOF Then ' Use controlled machine's location as fallback If NOT IsNull(rsControlledMachine("mapleft")) AND rsControlledMachine("mapleft") > 0 Then pcMapleft = rsControlledMachine("mapleft") End If If NOT IsNull(rsControlledMachine("maptop")) AND rsControlledMachine("maptop") > 0 Then pcMaptop = rsControlledMachine("maptop") End If End If rsControlledMachine.Close Set rsControlledMachine = Nothing End If %>
" alt="Card image cap">
" alt="profile-image" class="profile">
<%=Server.HTMLEncode(rs("machinenumber") & "")%>
<%=Server.HTMLEncode(rs("vendor") & "")%>
<%=Server.HTMLEncode(rs("machinetype") & "")%>
<%' machinedescription column doesn't exist in Phase 2 schema %>

<%=Server.HTMLEncode(rs("machinenotes") & "")%>

Configuration

Serial Number:

Hostname:

Status:

Location:

Vendor:

Model:

PC Type:

BU:

IP Address:

MAC Address:

VNC:

WinRM:

Uptime:

Controlled Equipment:

Printer:

<% Dim machineNumVal, vendorValM, modelValM, machineTypeVal, buVal, serialNumVal, hostnameVal, statusVal ' Get values and default to N/A if empty serialNumVal = rs("serialnumber") & "" If serialNumVal = "" Then serialNumVal = "N/A" hostnameVal = rs("hostname") & "" If hostnameVal = "" Then hostnameVal = "N/A" statusVal = rs("machinestatus") & "" If statusVal = "" Then statusVal = "N/A" machineNumVal = rs("machinenumber") & "" If machineNumVal = "" Then machineNumVal = "N/A" vendorValM = rs("vendor") & "" If vendorValM = "" Then vendorValM = "N/A" modelValM = rs("modelnumber") & "" If modelValM = "" Then modelValM = "N/A" machineTypeVal = rs("machinetype") & "" If machineTypeVal = "" Then machineTypeVal = "N/A" ' Get PC Type name from pctype table Dim pctypeName pctypeName = rs("pctypename") & "" If pctypeName = "" Then pctypeName = "N/A" ' Get uptime value Dim uptimeDays uptimeDays = "" If Not IsNull(rs("uptime_days")) Then uptimeDays = rs("uptime_days") & " days" End If buVal = rs("businessunit") & "" If buVal = "" Then buVal = "N/A" ' Get pctypeid for relationship notification Dim pctypeidVal pctypeidVal = 0 If Not IsNull(rs("pctypeid")) Then pctypeidVal = CLng(rs("pctypeid")) %>

<%=Server.HTMLEncode(serialNumVal)%>

<%=Server.HTMLEncode(hostnameVal)%>

<%=Server.HTMLEncode(statusVal)%>

<% If machineNumVal <> "N/A" Then ' Use fallback location if PC location is available Dim hasLocation hasLocation = False If NOT IsNull(pcMapleft) AND NOT IsNull(pcMaptop) AND pcMapleft > 0 AND pcMaptop > 0 Then hasLocation = True End If If hasLocation Then %> <%=Server.HTMLEncode(machineNumVal)%> <% Else Response.Write(Server.HTMLEncode(machineNumVal) & " (No location)") End If Else Response.Write("N/A") End If %>

<%=Server.HTMLEncode(vendorValM)%>

<%=Server.HTMLEncode(modelValM)%>

<%=Server.HTMLEncode(pctypeName)%>

<%=Server.HTMLEncode(buVal)%>

<% ' Get primary communication (IP and MAC) from communications table Dim rsPrimaryCom, strPrimaryComSQL, primaryIP, primaryMAC strPrimaryComSQL = "SELECT address, macaddress FROM communications WHERE machineid = ? AND isprimary = 1 AND isactive = 1 LIMIT 1" Set rsPrimaryCom = ExecuteParameterizedQuery(objConn, strPrimaryComSQL, Array(machineid)) If Not rsPrimaryCom.EOF Then primaryIP = rsPrimaryCom("address") & "" primaryMAC = rsPrimaryCom("macaddress") & "" Else ' Try to get first active communication if no primary set rsPrimaryCom.Close strPrimaryComSQL = "SELECT address, macaddress FROM communications WHERE machineid = ? AND isactive = 1 ORDER BY comid LIMIT 1" Set rsPrimaryCom = ExecuteParameterizedQuery(objConn, strPrimaryComSQL, Array(machineid)) If Not rsPrimaryCom.EOF Then primaryIP = rsPrimaryCom("address") & "" primaryMAC = rsPrimaryCom("macaddress") & "" Else primaryIP = "" primaryMAC = "" End If End If rsPrimaryCom.Close Set rsPrimaryCom = Nothing ' Display IP Address If primaryIP <> "" Then Response.Write("

" & Server.HTMLEncode(primaryIP) & "

") Else Response.Write("

N/A

") End If ' Display MAC Address If primaryMAC <> "" Then Response.Write("

" & Server.HTMLEncode(primaryMAC) & "

") Else Response.Write("

N/A

") End If ' Display VNC status and link Dim hasVncEnabled, vncHostname hasVncEnabled = False If Not IsNull(rs("isvnc")) Then If rs("isvnc") = True Or rs("isvnc") = 1 Or rs("isvnc") = -1 Then hasVncEnabled = True End If End If ' Check WinRM status Dim hasWinRMEnabled hasWinRMEnabled = False If Not IsNull(rs("iswinrm")) Then If rs("iswinrm") = True Or rs("iswinrm") = 1 Or rs("iswinrm") = -1 Then hasWinRMEnabled = True End If End If ' Use hostname with FQDN for VNC connection vncHostname = "" If hostnameVal <> "N/A" And hostnameVal <> "" Then vncHostname = hostnameVal & ".logon.ds.ge.com" End If If hasVncEnabled And vncHostname <> "" Then Response.Write("

" & Server.HTMLEncode(vncHostname) & "

") ElseIf hasVncEnabled And primaryIP <> "" Then ' Fallback to IP address if no hostname Response.Write("

" & Server.HTMLEncode(primaryIP) & "

") ElseIf hasVncEnabled Then Response.Write("

VNC Enabled (No hostname or IP)

") Else Response.Write("

N/A

") End If ' Display WinRM status (text instead of badge) If hasWinRMEnabled Then Response.Write("

Enabled

") Else Response.Write("

N/A

") End If ' Display uptime If uptimeDays <> "" Then Response.Write("

" & Server.HTMLEncode(uptimeDays) & "

") Else Response.Write("

N/A

") End If ' Get controlled equipment from relationships - check both directions ' Direction 1: This PC (machineid) controls equipment (related_machineid) ' Direction 2: Equipment (machineid) is controlled by this PC (related_machineid) Dim rsControlledEquip, strControlledEquipSQL, controlledEquipName, controlledEquipID ' First check: This PC controls equipment (standard direction) strControlledEquipSQL = "SELECT m.machineid, m.machinenumber FROM machinerelationships mr " & _ "JOIN relationshiptypes rt ON mr.relationshiptypeid = rt.relationshiptypeid " & _ "JOIN machines m ON mr.related_machineid = m.machineid " & _ "WHERE mr.machineid = ? AND rt.relationshiptype = 'Controls' AND mr.isactive = 1 " & _ "AND m.pctypeid IS NULL LIMIT 1" Set rsControlledEquip = ExecuteParameterizedQuery(objConn, strControlledEquipSQL, Array(machineid)) If rsControlledEquip.EOF Then rsControlledEquip.Close ' Second check: Equipment has relationship to this PC (reverse direction) strControlledEquipSQL = "SELECT m.machineid, m.machinenumber FROM machinerelationships mr " & _ "JOIN relationshiptypes rt ON mr.relationshiptypeid = rt.relationshiptypeid " & _ "JOIN machines m ON mr.machineid = m.machineid " & _ "WHERE mr.related_machineid = ? AND rt.relationshiptype = 'Controls' AND mr.isactive = 1 " & _ "AND m.pctypeid IS NULL LIMIT 1" Set rsControlledEquip = ExecuteParameterizedQuery(objConn, strControlledEquipSQL, Array(machineid)) End If If Not rsControlledEquip.EOF Then controlledEquipName = rsControlledEquip("machinenumber") & "" controlledEquipID = rsControlledEquip("machineid") Response.Write("

" & Server.HTMLEncode(controlledEquipName) & "

") Else Response.Write("

N/A

") End If rsControlledEquip.Close Set rsControlledEquip = Nothing ' SECURITY: HTML encode printer data to prevent XSS ' Printer data - check if exists (LEFT JOIN may return NULL) If Not IsNull(rs("printerid")) And rs("printerid") <> "" Then Dim printerNameVal printerNameVal = rs("printerwindowsname") & "" If printerNameVal = "" Then printerNameVal = "Printer #" & rs("printerid") Response.Write("

" & Server.HTMLEncode(printerNameVal) & "

") Else Response.Write("

N/A

") End If %>
Network Communications
<% ' Query communications for this machine strSQL2 = "SELECT c.*, ct.typename FROM communications c " & _ "JOIN comstypes ct ON c.comstypeid = ct.comstypeid " & _ "WHERE c.machineid = ? AND c.isactive = 1 ORDER BY c.isprimary DESC, c.comid ASC" Set rs2 = ExecuteParameterizedQuery(objConn, strSQL2, Array(machineid)) If rs2.EOF Then Response.Write("") Else Do While Not rs2.EOF Dim ipAddr, macAddr, ifaceName, isPrimary, statusBadge ipAddr = rs2("address") & "" macAddr = rs2("macaddress") & "" ifaceName = rs2("interfacename") & "" isPrimary = rs2("isprimary") If ipAddr = "" Then ipAddr = "N/A" If macAddr = "" Then macAddr = "N/A" If ifaceName = "" Then ifaceName = "N/A" If isPrimary Then statusBadge = "Primary" Else statusBadge = "" End If Response.Write("") Response.Write("") Response.Write("") Response.Write("") Response.Write("") Response.Write("") Response.Write("") Response.Write("") rs2.MoveNext Loop End If rs2.Close Set rs2 = Nothing %>
Type IP Address MAC Address Interface Primary Status
No network communications configured
" & Server.HTMLEncode(rs2("typename") & "") & "" & ipAddr & "" & macAddr & "" & ifaceName & "" & statusBadge & "Active
Machine Relationships
<% ' Show notification for PC types that can have equipment relationships ' CMM=5, Wax/Trace=6, Keyence=7, Genspect=8, Heat Treat=9, Part Marker=10 If pctypeidVal >= 5 And pctypeidVal <= 10 Then %>
This PC type can be assigned to control equipment. Use Edit Machine to set up relationships.
<% End If %>
Connected Equipment
<% ' Query ALL equipment related to this PC via machinerelationships ' Check both directions - the equipment is identified by pctypeid IS NULL strSQL2 = "SELECT m.machineid, m.machinenumber, mt.machinetype, mo.modelnumber, rt.relationshiptype " & _ "FROM machinerelationships mr " & _ "JOIN relationshiptypes rt ON mr.relationshiptypeid = rt.relationshiptypeid " & _ "JOIN machines m ON (mr.machineid = m.machineid OR mr.related_machineid = m.machineid) " & _ "LEFT JOIN models mo ON m.modelnumberid = mo.modelnumberid " & _ "LEFT JOIN machinetypes mt ON mo.machinetypeid = mt.machinetypeid " & _ "WHERE (mr.machineid = ? OR mr.related_machineid = ?) " & _ " AND m.pctypeid IS NULL AND m.machineid <> ? AND mr.isactive = 1 " & _ "ORDER BY rt.relationshiptype, m.machinenumber" Set rs2 = ExecuteParameterizedQuery(objConn, strSQL2, Array(machineid, machineid, machineid)) If rs2.EOF Then Response.Write("") Else Do While Not rs2.EOF Dim ctrlMachineNum, ctrlType, ctrlModel, ctrlMachineID, ctrlRelType ctrlMachineNum = rs2("machinenumber") & "" ctrlType = rs2("machinetype") & "" ctrlModel = rs2("modelnumber") & "" ctrlMachineID = rs2("machineid") ctrlRelType = rs2("relationshiptype") & "" If ctrlMachineNum = "" Then ctrlMachineNum = "N/A" If ctrlType = "" Then ctrlType = "N/A" If ctrlModel = "" Then ctrlModel = "N/A" ' Badge color based on relationship type Dim ctrlRelBadge Select Case LCase(ctrlRelType) Case "controls" ctrlRelBadge = "badge-primary" Case "dualpath" ctrlRelBadge = "badge-warning" Case "connected to" ctrlRelBadge = "badge-success" Case Else ctrlRelBadge = "badge-info" End Select Response.Write("") Response.Write("") Response.Write("") Response.Write("") Response.Write("") Response.Write("") Response.Write("") rs2.MoveNext Loop End If rs2.Close Set rs2 = Nothing %>
Machine Number Type Model Location Relationship
No connected equipment
" & Server.HTMLEncode(ctrlMachineNum) & "" & ctrlType & "" & ctrlModel & "" & Server.HTMLEncode(ctrlMachineNum) & " " & Server.HTMLEncode(ctrlRelType) & "
Compliance & Security
<% ' Query compliance data strSQL2 = "SELECT * FROM compliance WHERE machineid = ?" Set rs2 = ExecuteParameterizedQuery(objConn, strSQL2, Array(machineid)) If Not rs2.EOF Then %>

Third Party Managed:

Third Party Manager:

OT Asset System:

DoD Asset Device Type:

Compliant:

<% Dim thirdPartyManaged, thirdPartyManager, otAssetSystem, dodAssetDeviceType, isCompliant thirdPartyManaged = rs2("isthirdpartymanaged") & "" thirdPartyManager = rs2("thirdpartymanager") & "" otAssetSystem = rs2("otassetsystem") & "" dodAssetDeviceType = rs2("otassetdevicetype") & "" isCompliant = rs2("iscompliant") ' Third party managed badge Dim tpmBadge If thirdPartyManaged = "Yes" Then tpmBadge = "Yes" ElseIf thirdPartyManaged = "No" Then tpmBadge = "No" Else tpmBadge = "N/A" End If %>

<%=tpmBadge%>

<%=Server.HTMLEncode(thirdPartyManager)%>

<%=Server.HTMLEncode(otAssetSystem)%>

<%=Server.HTMLEncode(dodAssetDeviceType)%>

<% If Not IsNull(isCompliant) Then If isCompliant Then Response.Write("Yes") Else Response.Write("No") End If Else Response.Write("Not Assessed") End If %>

Security Scans
<% rs2.Close Set rs2 = Nothing ' Query security scans strSQL2 = "SELECT * FROM compliancescans WHERE machineid = ? ORDER BY scandate DESC LIMIT 10" Set rs2 = ExecuteParameterizedQuery(objConn, strSQL2, Array(machineid)) If rs2.EOF Then Response.Write("") Else Do While Not rs2.EOF Dim scanName, scanDate, scanResult, scanDetails, resultBadge scanName = rs2("scanname") & "" scanDate = rs2("scandate") & "" scanResult = rs2("scanresult") & "" scanDetails = rs2("scandetails") & "" If scanName = "" Then scanName = "Security Scan" If scanDetails = "" Then scanDetails = "No details" ' Result badge Select Case LCase(scanResult) Case "pass" resultBadge = "Pass" Case "fail" resultBadge = "Fail" Case "warning" resultBadge = "Warning" Case Else resultBadge = "Info" End Select Response.Write("") Response.Write("") Response.Write("") Response.Write("") Response.Write("") Response.Write("") rs2.MoveNext Loop End If rs2.Close Set rs2 = Nothing %>
Scan Name Date Result Details
No security scans recorded
" & Server.HTMLEncode(scanName) & "" & Server.HTMLEncode(scanDate) & "" & resultBadge & "" & scanDetails & "
<% Else Response.Write("

No compliance data available for this machine.

") rs2.Close Set rs2 = Nothing End If %>
<% '============================================================================= ' SECURITY: Use parameterized query for installed applications '============================================================================= Dim appDisplay, appVer, appId strSQL2 = "SELECT a.appid, a.appname, av.version FROM installedapps ia " & _ "JOIN applications a ON ia.appid = a.appid " & _ "LEFT JOIN appversions av ON ia.appversionid = av.appversionid " & _ "WHERE ia.isactive = 1 AND ia.machineid = ? ORDER BY a.appname ASC" Set rs2 = ExecuteParameterizedQuery(objConn, strSQL2, Array(machineid)) Do While Not rs2.EOF appId = rs2("appid") appDisplay = Server.HTMLEncode(rs2("appname") & "") appVer = rs2("version") & "" If appVer <> "" Then appDisplay = appDisplay & " v" & Server.HTMLEncode(appVer) & "" Response.Write("") rs2.MoveNext Loop rs2.Close Set rs2 = Nothing %>
" & appDisplay & "
Select Machine Location
Click on the map to select a location
<% '============================================================================= ' CLEANUP '============================================================================= objConn.Close %>