<% '============================================================================= ' FILE: displaymachine.asp ' PURPOSE: Display detailed machine information with edit capability ' SECURITY: Parameterized queries, HTML encoding, input validation ' UPDATED: 2025-10-27 - Migrated to secure patterns '============================================================================= %> <% theme = Request.Cookies("theme") If theme = "" Then theme = "bg-theme1" End If '============================================================================= ' SECURITY: Validate machineid parameter '============================================================================= Dim machineid machineid = GetSafeInteger("QS", "machineid", 0, 1, 999999) IF machineid = 0 THEN objConn.Close Response.Redirect("default.asp") Response.End END IF '============================================================================= ' SECURITY: Use parameterized query to prevent SQL injection '============================================================================= strSQL = "SELECT machines.*, machinetypes.*, models.*, businessunits.*, vendors.*, functionalaccounts.*, " & _ "printers.ipaddress AS printerip, printers.printerid, printers.printercsfname, printers.printerwindowsname, " & _ "pc.pcid, pc.hostname, pc.loggedinuser AS LoggedInUser, pc_network_interfaces.IPAddress AS pcip " & _ "FROM machines " & _ "INNER JOIN models ON machines.modelnumberid = models.modelnumberid " & _ "INNER JOIN machinetypes ON models.machinetypeid = machinetypes.machinetypeid " & _ "INNER JOIN businessunits ON machines.businessunitid = businessunits.businessunitid " & _ "INNER JOIN functionalaccounts ON machinetypes.functionalaccountid = functionalaccounts.functionalaccountid " & _ "INNER JOIN vendors ON models.vendorid = vendors.vendorid " & _ "LEFT JOIN printers ON machines.printerid = printers.printerid " & _ "LEFT JOIN pc ON pc.machinenumber = machines.machinenumber " & _ "LEFT JOIN pc_network_interfaces ON pc_network_interfaces.pcid = pc.pcid AND pc_network_interfaces.DefaultGateway IS NOT NULL " & _ "WHERE machines.machineid = ?" Set rs = ExecuteParameterizedQuery(objConn, strSQL, Array(machineid)) ' Check if machine exists If rs.EOF Then rs.Close Set rs = Nothing objConn.Close Response.Redirect("default.asp") Response.End End If %>
" alt="Card image cap">
" alt="profile-image" class="profile">
<%=Server.HTMLEncode(rs("machinenumber") & "")%>
<%=Server.HTMLEncode(rs("vendor") & "")%>
<%=Server.HTMLEncode(rs("machinetype") & "")%>

<%=Server.HTMLEncode(rs("machinedescription") & "")%>

Configuration

Location:

Vendor:

Model:

Function:

BU:

PC:

IP:

User:

Printer:

<% Dim machineNumVal, vendorValM, modelValM, machineTypeVal, buVal ' Get values and default to N/A if empty machineNumVal = rs("machinenumber") & "" If machineNumVal = "" Then machineNumVal = "N/A" vendorValM = rs("vendor") & "" If vendorValM = "" Then vendorValM = "N/A" modelValM = rs("modelnumber") & "" If modelValM = "" Then modelValM = "N/A" machineTypeVal = rs("machinetype") & "" If machineTypeVal = "" Then machineTypeVal = "N/A" buVal = rs("businessunit") & "" If buVal = "" Then buVal = "N/A" %>

<% If machineNumVal <> "N/A" Then %> <%=Server.HTMLEncode(machineNumVal)%> <% Else Response.Write("N/A") End If %>

<%=Server.HTMLEncode(vendorValM)%>

<%=Server.HTMLEncode(modelValM)%>

<%=Server.HTMLEncode(machineTypeVal)%>

<%=Server.HTMLEncode(buVal)%>

<% ' SECURITY: HTML encode all PC data to prevent XSS ' PC data - check if exists (LEFT JOIN may return NULL) If Not IsNull(rs("pcip")) And rs("pcip") <> "" Then Dim hostnameVal hostnameVal = rs("hostname") & "" If hostnameVal = "" Then hostnameVal = "N/A" Response.Write("

" & Server.HTMLEncode(hostnameVal) & "

") Response.Write("

" & Server.HTMLEncode(rs("pcip") & "") & "

") If Not IsNull(rs("LoggedInUser")) And rs("LoggedInUser") & "" <> "" Then Response.Write("

" & Server.HTMLEncode(rs("LoggedInUser") & "") & "

") Else Response.Write("

N/A

") End If Else Response.Write("

N/A

") Response.Write("

N/A

") Response.Write("

N/A

") End If ' SECURITY: HTML encode printer data to prevent XSS ' Printer data - check if exists (LEFT JOIN may return NULL) If Not IsNull(rs("printerid")) And rs("printerid") <> "" Then Dim printerNameVal printerNameVal = rs("printerwindowsname") & "" If printerNameVal = "" Then printerNameVal = "Printer #" & rs("printerid") Response.Write("

" & Server.HTMLEncode(printerNameVal) & "

") Else Response.Write("

N/A

") End If %>
<% '============================================================================= ' SECURITY: Use parameterized query for installed applications '============================================================================= strSQL2 = "SELECT * FROM installedapps, applications WHERE installedapps.appid = applications.appid AND installedapps.isactive = 1 AND installedapps.machineid = ? ORDER BY appname ASC" Set rs2 = ExecuteParameterizedQuery(objConn, strSQL2, Array(machineid)) Do While Not rs2.EOF Response.Write("") rs2.MoveNext Loop rs2.Close Set rs2 = Nothing %>
" & Server.HTMLEncode(rs2("appname") & "") & "
"> ">
Current position: X=<%=Server.HTMLEncode(rs("mapleft") & "")%>, Y=<%=Server.HTMLEncode(rs("maptop") & "")%>

Select Machine Location
Click on the map to select a location
<% '============================================================================= ' CLEANUP '============================================================================= objConn.Close %>