shopdb/updatedevice_direct.asp.backup-20251114

<%
'=============================================================================
' FILE: updatedevice_direct.asp
' PURPOSE: Update PC/device with optional vendor and model creation
' SECURITY: Parameterized queries, HTML encoding, input validation
' UPDATED: 2025-10-27 - Migrated to secure patterns
'=============================================================================
%>
<!--#include file="./includes/sql.asp"-->
<%
	' Get form data
	Dim pcid, machinestatusid, pctypeid, hostname, modelnumberid, machinenumber, isactive

	pcid = Trim(Request.Form("pcid"))
	machinestatusid = Trim(Request.Form("machinestatusid"))
	pctypeid = Trim(Request.Form("pctypeid"))
	hostname = Trim(Request.Form("hostname"))
	modelnumberid = Trim(Request.Form("modelnumberid"))
	machinenumber = Trim(Request.Form("machinenumber"))
	isactive = Trim(Request.Form("isactive"))

	' Get form inputs for new model
	Dim newmodelnumber, newvendorid
	newmodelnumber = Trim(Request.Form("newmodelnumber"))
	newvendorid = Trim(Request.Form("newvendorid"))

	' Get form inputs for new vendor
	Dim newvendorname
	newvendorname = Trim(Request.Form("newvendorname"))

	' Validate required ID fields
	If Not IsNumeric(pcid) Or CLng(pcid) < 1 Then
		Response.Write("Invalid PC ID")
		objConn.Close
		Response.End
	End If

	If Not IsNumeric(machinestatusid) Or CLng(machinestatusid) < 1 Then
		Response.Redirect("editdevice.asp?pcid=" & pcid & "&error=REQUIRED_FIELD")
		objConn.Close
		Response.End
	End If

	' Set isactive: if checkbox not checked, it won't be in form data
	If isactive = "1" Then
		isactive = 1
	Else
		isactive = 0
	End If

	' Validate optional ID fields - allow "new" as a valid value for model
	If pctypeid <> "" Then
		If Not IsNumeric(pctypeid) Or CLng(pctypeid) < 1 Then
			Response.Redirect("editdevice.asp?pcid=" & pcid & "&error=INVALID_ID")
			objConn.Close
			Response.End
		End If
	End If

	If modelnumberid <> "" And modelnumberid <> "new" Then
		If Not IsNumeric(modelnumberid) Or CLng(modelnumberid) < 1 Then
			Response.Redirect("editdevice.asp?pcid=" & pcid & "&error=INVALID_ID")
			objConn.Close
			Response.End
		End If
	End If

	' Handle new model creation
	If modelnumberid = "new" Then
		If Len(newmodelnumber) = 0 Then
			Response.Redirect("editdevice.asp?pcid=" & pcid & "&error=REQUIRED_FIELD")
			objConn.Close
			Response.End
		End If

		If Len(newvendorid) = 0 Then
			Response.Redirect("editdevice.asp?pcid=" & pcid & "&error=REQUIRED_FIELD")
			objConn.Close
			Response.End
		End If

		If Len(newmodelnumber) > 50 Then
			Response.Redirect("editdevice.asp?pcid=" & pcid & "&error=INVALID_INPUT")
			objConn.Close
			Response.End
		End If

		' Handle new vendor creation (nested)
		If newvendorid = "new" Then
			If Len(newvendorname) = 0 Then
				Response.Redirect("editdevice.asp?pcid=" & pcid & "&error=REQUIRED_FIELD")
				objConn.Close
				Response.End
			End If

			If Len(newvendorname) > 50 Then
				Response.Redirect("editdevice.asp?pcid=" & pcid & "&error=INVALID_INPUT")
				objConn.Close
				Response.End
			End If

			' Insert new vendor using parameterized query (with ispc=1)
			Dim sqlNewVendor, cmdNewVendor
			sqlNewVendor = "INSERT INTO vendors (vendor, isactive, isprinter, ispc, ismachine) VALUES (?, 1, 0, 1, 0)"
			Set cmdNewVendor = Server.CreateObject("ADODB.Command")
			cmdNewVendor.ActiveConnection = objConn
			cmdNewVendor.CommandText = sqlNewVendor
			cmdNewVendor.CommandType = 1
			cmdNewVendor.Parameters.Append cmdNewVendor.CreateParameter("@vendor", 200, 1, 50, newvendorname)

			On Error Resume Next
			cmdNewVendor.Execute

			If Err.Number <> 0 Then
				Response.Redirect("editdevice.asp?pcid=" & pcid & "&error=db&msg=" & Server.URLEncode(Server.HTMLEncode(Err.Description)))
				Set cmdNewVendor = Nothing
				objConn.Close
				Response.End
			End If

			' Get the newly created vendor ID
			Dim rsNewVendor
			Set rsNewVendor = objConn.Execute("SELECT LAST_INSERT_ID() AS newid")
			newvendorid = CLng(rsNewVendor("newid"))
			rsNewVendor.Close
			Set rsNewVendor = Nothing
			Set cmdNewVendor = Nothing
			On Error Goto 0
		End If

		' Insert new model using parameterized query
		Dim sqlNewModel, cmdNewModel
		sqlNewModel = "INSERT INTO models (modelnumber, vendorid, isactive) VALUES (?, ?, 1)"
		Set cmdNewModel = Server.CreateObject("ADODB.Command")
		cmdNewModel.ActiveConnection = objConn
		cmdNewModel.CommandText = sqlNewModel
		cmdNewModel.CommandType = 1
		cmdNewModel.Parameters.Append cmdNewModel.CreateParameter("@modelnumber", 200, 1, 50, newmodelnumber)
		cmdNewModel.Parameters.Append cmdNewModel.CreateParameter("@vendorid", 3, 1, , CLng(newvendorid))

		On Error Resume Next
		cmdNewModel.Execute

		If Err.Number <> 0 Then
			Response.Redirect("editdevice.asp?pcid=" & pcid & "&error=db&msg=" & Server.URLEncode(Server.HTMLEncode(Err.Description)))
			Set cmdNewModel = Nothing
			objConn.Close
			Response.End
		End If

		' Get the newly created model ID
		Dim rsNewModel
		Set rsNewModel = objConn.Execute("SELECT LAST_INSERT_ID() AS newid")
		modelnumberid = CLng(rsNewModel("newid"))
		rsNewModel.Close
		Set rsNewModel = Nothing
		Set cmdNewModel = Nothing
		On Error Goto 0
	End If

	' Validate field lengths
	If hostname <> "" And Len(hostname) > 255 Then
		Response.Redirect("editdevice.asp?pcid=" & pcid & "&error=INVALID_INPUT")
		objConn.Close
		Response.End
	End If

	If machinenumber <> "" And Len(machinenumber) > 50 Then
		Response.Redirect("editdevice.asp?pcid=" & pcid & "&error=INVALID_INPUT")
		objConn.Close
		Response.End
	End If

	' Build UPDATE query using parameterized query
	Dim updateSQL, cmdUpdate
	updateSQL = "UPDATE machines SET machinestatusid = ?, isactive = ?, pctypeid = ?, hostname = ?, modelnumberid = ?, machinenumber = ?, lastupdated = NOW() WHERE machineid = ? AND pctypeid IS NOT NULL"
	Set cmdUpdate = Server.CreateObject("ADODB.Command")
	cmdUpdate.ActiveConnection = objConn
	cmdUpdate.CommandText = updateSQL
	cmdUpdate.CommandType = 1
	cmdUpdate.Parameters.Append cmdUpdate.CreateParameter("@machinestatusid", 3, 1, , CLng(machinestatusid))
	cmdUpdate.Parameters.Append cmdUpdate.CreateParameter("@isactive", 3, 1, , isactive)

	' Handle optional pctypeid
	If pctypeid <> "" Then
		cmdUpdate.Parameters.Append cmdUpdate.CreateParameter("@pctypeid", 3, 1, , CLng(pctypeid))
	Else
		cmdUpdate.Parameters.Append cmdUpdate.CreateParameter("@pctypeid", 3, 1, , Null)
	End If

	' Handle optional hostname
	If hostname <> "" Then
		cmdUpdate.Parameters.Append cmdUpdate.CreateParameter("@hostname", 200, 1, 255, hostname)
	Else
		cmdUpdate.Parameters.Append cmdUpdate.CreateParameter("@hostname", 200, 1, 255, Null)
	End If

	' Handle optional modelnumberid
	If modelnumberid <> "" Then
		cmdUpdate.Parameters.Append cmdUpdate.CreateParameter("@modelnumberid", 3, 1, , CLng(modelnumberid))
	Else
		cmdUpdate.Parameters.Append cmdUpdate.CreateParameter("@modelnumberid", 3, 1, , Null)
	End If

	' Handle optional machinenumber
	If machinenumber <> "" Then
		cmdUpdate.Parameters.Append cmdUpdate.CreateParameter("@machinenumber", 200, 1, 50, machinenumber)
	Else
		cmdUpdate.Parameters.Append cmdUpdate.CreateParameter("@machinenumber", 200, 1, 50, Null)
	End If

	cmdUpdate.Parameters.Append cmdUpdate.CreateParameter("@machineid", 3, 1, , CLng(pcid))

	' Execute update
	On Error Resume Next
	cmdUpdate.Execute

	If Err.Number = 0 Then
		Set cmdUpdate = Nothing
		objConn.Close
		' Success - redirect back to scan page ready for next scan
		Response.Redirect("./adddevice.asp")
	Else
		Dim errMsg
		errMsg = Server.HTMLEncode(Err.Description)
		Set cmdUpdate = Nothing
		objConn.Close
		Response.Redirect("./editdevice.asp?pcid=" & pcid & "&error=db&msg=" & Server.URLEncode(errMsg))
	End If
%>