shopdb/savevendor_direct.asp

<%
'=============================================================================
' FILE: savevendor_direct.asp
' PURPOSE: Create new vendor with type flags
' SECURITY: Parameterized queries, HTML encoding, input validation
' UPDATED: 2025-10-27 - Migrated to secure patterns
'=============================================================================
%>
<html>
<head>
<link rel="stylesheet" href="./style.css" type="text/css">
<!--#include file="./includes/sql.asp"-->
</head>

<body>
<div class="page">
<%
	Dim vendor, isprinter, ispc, ismachine
	vendor = Trim(Request.Form("vendor"))
	isprinter = Request.Form("isprinter")
	ispc = Request.Form("ispc")
	ismachine = Request.Form("ismachine")

	' Validate
	If vendor = "" Then
		Response.Write("<div class='alert alert-danger'>Error: Manufacturer name is required.</div>")
		Response.Write("<a href='addvendor.asp'>Go back</a>")
		objConn.Close
		Response.End
	End If

	If Len(vendor) > 50 Then
		Response.Write("<div class='alert alert-danger'>Error: Manufacturer name too long.</div>")
		Response.Write("<a href='addvendor.asp'>Go back</a>")
		objConn.Close
		Response.End
	End If

	If isprinter <> "1" AND ispc <> "1" AND ismachine <> "1" Then
		Response.Write("<div class='alert alert-danger'>Error: Please select at least one category.</div>")
		Response.Write("<a href='addvendor.asp'>Go back</a>")
		objConn.Close
		Response.End
	End If

	' Check if vendor exists using parameterized query
	Dim checkSQL, rsCheck, cmdCheck
	checkSQL = "SELECT COUNT(*) as cnt FROM vendors WHERE LOWER(vendor) = LOWER(?)"
	Set cmdCheck = Server.CreateObject("ADODB.Command")
	cmdCheck.ActiveConnection = objConn
	cmdCheck.CommandText = checkSQL
	cmdCheck.CommandType = 1
	cmdCheck.Parameters.Append cmdCheck.CreateParameter("@vendor", 200, 1, 50, vendor)
	Set rsCheck = cmdCheck.Execute

	If Not rsCheck.EOF Then
		If Not IsNull(rsCheck("cnt")) Then
			If CLng(rsCheck("cnt")) > 0 Then
				rsCheck.Close
				Set rsCheck = Nothing
				Set cmdCheck = Nothing
				Response.Write("<div class='alert alert-danger'>Error: Manufacturer '" & Server.HTMLEncode(vendor) & "' already exists.</div>")
				Response.Write("<a href='addvendor.asp'>Go back</a>")
				objConn.Close
				Response.End
			End If
		End If
	End If
	rsCheck.Close
	Set rsCheck = Nothing
	Set cmdCheck = Nothing

	' Convert checkboxes
	Dim iPrint, iPC, iMach
	If isprinter = "1" Then iPrint = 1 Else iPrint = 0
	If ispc = "1" Then iPC = 1 Else iPC = 0
	If ismachine = "1" Then iMach = 1 Else iMach = 0

	' INSERT using parameterized query
	Dim vendorSQL, cmdVendor
	vendorSQL = "INSERT INTO vendors (vendor, isactive, isprinter, ispc, ismachine) VALUES (?, 1, ?, ?, ?)"
	Set cmdVendor = Server.CreateObject("ADODB.Command")
	cmdVendor.ActiveConnection = objConn
	cmdVendor.CommandText = vendorSQL
	cmdVendor.CommandType = 1
	cmdVendor.Parameters.Append cmdVendor.CreateParameter("@vendor", 200, 1, 50, vendor)
	cmdVendor.Parameters.Append cmdVendor.CreateParameter("@isprinter", 3, 1, , iPrint)
	cmdVendor.Parameters.Append cmdVendor.CreateParameter("@ispc", 3, 1, , iPC)
	cmdVendor.Parameters.Append cmdVendor.CreateParameter("@ismachine", 3, 1, , iMach)

	On Error Resume Next
	cmdVendor.Execute

	If Err.Number <> 0 Then
		Response.Write("<div class='alert alert-danger'>Error: " & Server.HTMLEncode(Err.Description) & "</div>")
		Response.Write("<a href='addvendor.asp'>Go back</a>")
		Set cmdVendor = Nothing
		objConn.Close
		Response.End
	End If

	Set cmdVendor = Nothing
	On Error Goto 0

	' Get the newly created vendor ID
	Set rsCheck = objConn.Execute("SELECT LAST_INSERT_ID() as newid")
	Dim newVendorId
	newVendorId = 0
	If Not rsCheck.EOF Then
		If Not IsNull(rsCheck("newid")) Then
			newVendorId = CLng(rsCheck("newid"))
		End If
	End If
	rsCheck.Close
	Set rsCheck = Nothing

	objConn.Close

	If newVendorId > 0 Then
		Response.Write("<div class='alert alert-success'><i class='zmdi zmdi-check'></i> Manufacturer added successfully!</div>")
		Response.Write("<p>Manufacturer '" & Server.HTMLEncode(Request.Form("vendor")) & "' has been added.</p>")
		Response.Write("<p><a href='addvendor.asp' class='btn btn-primary'>Add Another Manufacturer</a> ")
		Response.Write("<a href='addmodel.asp' class='btn btn-secondary'>Add Model</a></p>")
	Else
		Response.Write("<div class='alert alert-danger'>Error: Manufacturer was not added.</div>")
		Response.Write("<a href='addvendor.asp'>Go back</a>")
	End If
%>
</div>
</body>
</html>