<% '============================================================================= ' FILE: saveapplicationdirect.asp ' PURPOSE: Create new application with nested entity creation ' SECURITY: Parameterized queries, HTML encoding, input validation ' UPDATED: 2025-10-27 - Migrated to secure patterns '============================================================================= %> <% ' Get all form data Dim appname, appdescription, supportteamid Dim applicationnotes, installpath, applicationlink, documentationpath, image Dim isinstallable, isactive, ishidden, isprinter, islicenced Dim newsupportteamname, newsupportteamurl, newappownerid appname = Trim(Request.Form("appname")) appdescription = Trim(Request.Form("appdescription")) supportteamid = Trim(Request.Form("supportteamid")) applicationnotes = Trim(Request.Form("applicationnotes")) installpath = Trim(Request.Form("installpath")) applicationlink = Trim(Request.Form("applicationlink")) documentationpath = Trim(Request.Form("documentationpath")) image = Trim(Request.Form("image")) ' New support team fields newsupportteamname = Trim(Request.Form("newsupportteamname")) newsupportteamurl = Trim(Request.Form("newsupportteamurl")) newappownerid = Trim(Request.Form("newappownerid")) ' Checkboxes - ensure they are always integers 0 or 1 If Request.Form("isinstallable") = "1" Then isinstallable = 1 Else isinstallable = 0 End If If Request.Form("isactive") = "1" Then isactive = 1 Else isactive = 0 End If If Request.Form("ishidden") = "1" Then ishidden = 1 Else ishidden = 0 End If If Request.Form("isprinter") = "1" Then isprinter = 1 Else isprinter = 0 End If If Request.Form("islicenced") = "1" Then islicenced = 1 Else islicenced = 0 End If ' Basic validation If Len(appname) < 1 Or Len(appname) > 50 Then objConn.Close ShowError "Application name must be 1-50 characters", "addapplication.asp" Response.End End If ' Validate support team is selected If supportteamid = "" Then objConn.Close ShowError "Please select a support team.", "addapplication.asp" Response.End End If ' Check if we need to create a new support team first If supportteamid = "new" Then If newsupportteamname = "" Then objConn.Close ShowError "Support team name is required.", "addapplication.asp" Response.End End If If Len(newsupportteamname) > 50 Then objConn.Close ShowError "Support team name too long.", "addapplication.asp" Response.End End If ' Check if support team already exists using parameterized query Dim checkSQL, rsCheck, cmdCheck checkSQL = "SELECT COUNT(*) as cnt FROM supportteams WHERE LOWER(teamname) = LOWER(?)" Set cmdCheck = Server.CreateObject("ADODB.Command") cmdCheck.ActiveConnection = objConn cmdCheck.CommandText = checkSQL cmdCheck.CommandType = 1 cmdCheck.Parameters.Append cmdCheck.CreateParameter("@teamname", 200, 1, 50, newsupportteamname) Set rsCheck = cmdCheck.Execute If rsCheck.EOF Then rsCheck.Close objConn.Close ShowError "Database query failed.", "addapplication.asp" Response.End End If If Not IsNull(rsCheck("cnt")) Then If CLng(rsCheck("cnt")) > 0 Then rsCheck.Close Set cmdCheck = Nothing objConn.Close ShowError "Support team '" & Server.HTMLEncode(newsupportteamname) & "' already exists.", "addapplication.asp" Response.End End If End If rsCheck.Close Set cmdCheck = Nothing ' Check if we need to create a new app owner first (nested creation) If newappownerid = "new" Then Dim newappownername, newappownersso newappownername = Trim(Request.Form("newappownername")) newappownersso = Trim(Request.Form("newappownersso")) If newappownername = "" Or newappownersso = "" Then objConn.Close ShowError "App owner name and SSO are required.", "addapplication.asp" Response.End End If If Len(newappownername) > 50 Or Len(newappownersso) > 50 Then objConn.Close ShowError "App owner name or SSO too long.", "addapplication.asp" Response.End End If ' Check if app owner already exists using parameterized query checkSQL = "SELECT COUNT(*) as cnt FROM appowners WHERE LOWER(appowner) = LOWER(?) OR LOWER(sso) = LOWER(?)" Set cmdCheck = Server.CreateObject("ADODB.Command") cmdCheck.ActiveConnection = objConn cmdCheck.CommandText = checkSQL cmdCheck.CommandType = 1 cmdCheck.Parameters.Append cmdCheck.CreateParameter("@appowner", 200, 1, 50, newappownername) cmdCheck.Parameters.Append cmdCheck.CreateParameter("@sso", 200, 1, 255, newappownersso) Set rsCheck = cmdCheck.Execute If rsCheck.EOF Then rsCheck.Close objConn.Close ShowError "Database query failed (app owner check).", "addapplication.asp" Response.End End If If Not IsNull(rsCheck("cnt")) Then If CLng(rsCheck("cnt")) > 0 Then rsCheck.Close Set cmdCheck = Nothing objConn.Close ShowError "App owner with this name or SSO already exists.", "addapplication.asp" Response.End End If End If rsCheck.Close Set cmdCheck = Nothing ' Insert new app owner using parameterized query Dim ownerSQL, cmdOwner ownerSQL = "INSERT INTO appowners (appowner, sso, isactive) VALUES (?, ?, 1)" On Error Resume Next Set cmdOwner = Server.CreateObject("ADODB.Command") cmdOwner.ActiveConnection = objConn cmdOwner.CommandText = ownerSQL cmdOwner.CommandType = 1 cmdOwner.Parameters.Append cmdOwner.CreateParameter("@appowner", 200, 1, 50, newappownername) cmdOwner.Parameters.Append cmdOwner.CreateParameter("@sso", 200, 1, 255, newappownersso) cmdOwner.Execute If Err.Number <> 0 Then Set cmdOwner = Nothing objConn.Close ShowError "Error creating app owner: " & Server.HTMLEncode(Err.Description), "addapplication.asp" Response.End End If Set cmdOwner = Nothing On Error Goto 0 ' Get the new app owner ID Set rsCheck = objConn.Execute("SELECT LAST_INSERT_ID() as newid") newappownerid = 0 If Not rsCheck.EOF Then If Not IsNull(rsCheck("newid")) Then newappownerid = CLng(rsCheck("newid")) End If End If rsCheck.Close Else ' Validate existing app owner ID If Not IsNumeric(newappownerid) Or CLng(newappownerid) < 1 Then objConn.Close ShowError "Invalid app owner.", "addapplication.asp" Response.End End If End If ' Insert new support team using parameterized query Dim teamSQL, cmdTeam teamSQL = "INSERT INTO supportteams (teamname, teamurl, appownerid, isactive) VALUES (?, ?, ?, 1)" On Error Resume Next Set cmdTeam = Server.CreateObject("ADODB.Command") cmdTeam.ActiveConnection = objConn cmdTeam.CommandText = teamSQL cmdTeam.CommandType = 1 cmdTeam.Parameters.Append cmdTeam.CreateParameter("@teamname", 200, 1, 50, newsupportteamname) cmdTeam.Parameters.Append cmdTeam.CreateParameter("@teamurl", 200, 1, 255, newsupportteamurl) cmdTeam.Parameters.Append cmdTeam.CreateParameter("@appownerid", 3, 1, , CLng(newappownerid)) cmdTeam.Execute If Err.Number <> 0 Then Set cmdTeam = Nothing objConn.Close ShowError "Error creating support team: " & Server.HTMLEncode(Err.Description), "addapplication.asp" Response.End End If Set cmdTeam = Nothing On Error Goto 0 ' Get the new support team ID Set rsCheck = objConn.Execute("SELECT LAST_INSERT_ID() as newid") supportteamid = 0 If Not rsCheck.EOF Then If Not IsNull(rsCheck("newid")) Then supportteamid = CLng(rsCheck("newid")) End If End If rsCheck.Close Else ' Validate existing support team ID If Not IsNumeric(supportteamid) Or CLng(supportteamid) < 1 Then objConn.Close ShowError "Invalid support team ID.", "addapplication.asp" Response.End End If End If ' Insert application using parameterized query Dim strSQL, cmdApp strSQL = "INSERT INTO applications (" & _ "appname, appdescription, supportteamid, applicationnotes, " & _ "installpath, applicationlink, documentationpath, image, " & _ "isinstallable, isactive, ishidden, isprinter, islicenced" & _ ") VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)" On Error Resume Next Set cmdApp = Server.CreateObject("ADODB.Command") cmdApp.ActiveConnection = objConn cmdApp.CommandText = strSQL cmdApp.CommandType = 1 ' Add parameters in order cmdApp.Parameters.Append cmdApp.CreateParameter("@appname", 200, 1, 50, appname) cmdApp.Parameters.Append cmdApp.CreateParameter("@appdescription", 200, 1, 255, appdescription) cmdApp.Parameters.Append cmdApp.CreateParameter("@supportteamid", 3, 1, , CLng(supportteamid)) cmdApp.Parameters.Append cmdApp.CreateParameter("@applicationnotes", 200, 1, 512, applicationnotes) cmdApp.Parameters.Append cmdApp.CreateParameter("@installpath", 200, 1, 255, installpath) cmdApp.Parameters.Append cmdApp.CreateParameter("@applicationlink", 200, 1, 512, applicationlink) cmdApp.Parameters.Append cmdApp.CreateParameter("@documentationpath", 200, 1, 512, documentationpath) cmdApp.Parameters.Append cmdApp.CreateParameter("@image", 200, 1, 255, image) cmdApp.Parameters.Append cmdApp.CreateParameter("@isinstallable", 11, 1, , CBool(isinstallable)) cmdApp.Parameters.Append cmdApp.CreateParameter("@isactive", 11, 1, , CBool(isactive)) cmdApp.Parameters.Append cmdApp.CreateParameter("@ishidden", 11, 1, , CBool(ishidden)) cmdApp.Parameters.Append cmdApp.CreateParameter("@isprinter", 11, 1, , CBool(isprinter)) cmdApp.Parameters.Append cmdApp.CreateParameter("@islicenced", 11, 1, , CBool(islicenced)) cmdApp.Execute If Err.Number <> 0 Then Set cmdApp = Nothing objConn.Close ShowError Server.HTMLEncode(Err.Description), "addapplication.asp" Response.End End If Set cmdApp = Nothing On Error Goto 0 ' Get the new application ID Dim rsNew Set rsNew = objConn.Execute("SELECT LAST_INSERT_ID() AS newid") Dim newAppId newAppId = 0 If Not rsNew.EOF Then If Not IsNull(rsNew("newid")) Then newAppId = CLng(rsNew("newid")) End If End If rsNew.Close Set rsNew = Nothing objConn.Close If newAppId > 0 Then ShowSuccess "Application added successfully.", "displayapplication.asp?appid=" & newAppId, "application details" Else ShowError "Could not retrieve new application ID.", "addapplication.asp" End If %>