shopdb/editmacine.asp.backup-refactor-20251027

<%
'=============================================================================
' FILE: editmacine.asp
' PURPOSE: Edit machine information with nested entity creation
' SECURITY: Parameterized queries, HTML encoding, input validation
' UPDATED: 2025-10-27 - Migrated to secure patterns
' NOTE: File has typo in name (macine vs machine) - preserved for compatibility
'=============================================================================
%><html>
<head>
<link rel="stylesheet" href="./style.css" type="text/css">
<!--#include file="./includes/sql.asp"-->
<!--#include file="./includes/validation.asp"-->
<!--#include file="./includes/db_helpers.asp"-->
</head>

<body>
<div class="page">
<%
	'=============================================================================
	' SECURITY: Validate machineid from querystring
	'=============================================================================
	Dim machineid
	machineid = GetSafeInteger("QS", "machineid", 0, 1, 999999)

	If machineid = 0 Then
		Response.Write("<div class='alert alert-danger'>Error: Invalid machine ID.</div>")
		Response.Write("<a href='displaymachines.asp'>Go back</a>")
		objConn.Close
		Response.End
	End If

	'=============================================================================
	' SECURITY: Get and validate all form inputs
	'=============================================================================
	Dim modelid, machinetypeid, businessunitid, printerid, mapleft, maptop
	modelid = GetSafeString("FORM", "modelid", "", 1, 50, "")
	machinetypeid = GetSafeString("FORM", "machinetypeid", "", 1, 50, "")
	businessunitid = GetSafeString("FORM", "businessunitid", "", 1, 50, "")
	printerid = GetSafeInteger("FORM", "printerid", 0, 0, 999999)
	mapleft = GetSafeInteger("FORM", "mapleft", 0, 0, 9999)
	maptop = GetSafeInteger("FORM", "maptop", 0, 0, 9999)

	' Get form inputs for new business unit
	Dim newbusinessunit
	newbusinessunit = GetSafeString("FORM", "newbusinessunitname", "", 0, 50, "")

	' Get form inputs for new machine type
	Dim newmachinetype, newmachinedescription, newfunctionalaccountid
	newmachinetype = GetSafeString("FORM", "newmachinetypename", "", 0, 50, "")
	newmachinedescription = GetSafeString("FORM", "newmachinetypedescription", "", 0, 255, "")
	newfunctionalaccountid = GetSafeString("FORM", "newfunctionalaccountid", "", 0, 50, "")

	' Get form inputs for new functional account
	Dim newfunctionalaccount
	newfunctionalaccount = GetSafeString("FORM", "newfunctionalaccountname", "", 0, 50, "")

	' Get form inputs for new model
	Dim newmodelnumber, newvendorid, newmodelimage
	newmodelnumber = GetSafeString("FORM", "newmodelnumber", "", 0, 255, "")
	newvendorid = GetSafeString("FORM", "newvendorid", "", 0, 50, "")
	newmodelimage = GetSafeString("FORM", "newmodelimage", "", 0, 255, "")

	' Get form inputs for new vendor
	Dim newvendorname
	newvendorname = GetSafeString("FORM", "newvendorname", "", 0, 50, "")

	'=============================================================================
	' Validate required fields
	'=============================================================================
	If modelid <> "new" And (Not IsNumeric(modelid)) Then
		Response.Write("<div class='alert alert-danger'>Error: Invalid model ID.</div>")
		Response.Write("<a href='displaymachine.asp?machineid=" & Server.HTMLEncode(machineid) & "'>Go back</a>")
		objConn.Close
		Response.End
	End If

	If machinetypeid <> "new" And (Not IsNumeric(machinetypeid)) Then
		Response.Write("<div class='alert alert-danger'>Error: Invalid machine type ID.</div>")
		Response.Write("<a href='displaymachine.asp?machineid=" & Server.HTMLEncode(machineid) & "'>Go back</a>")
		objConn.Close
		Response.End
	End If

	If businessunitid <> "new" And (Not IsNumeric(businessunitid)) Then
		Response.Write("<div class='alert alert-danger'>Error: Invalid business unit ID.</div>")
		Response.Write("<a href='displaymachine.asp?machineid=" & Server.HTMLEncode(machineid) & "'>Go back</a>")
		objConn.Close
		Response.End
	End If

	'=============================================================================
	' SECURITY: Handle new business unit creation with parameterized query
	'=============================================================================
	If businessunitid = "new" Then
		If Len(newbusinessunit) = 0 Then
			Response.Write("<div class='alert alert-danger'>New business unit name is required</div>")
			Response.Write("<a href='displaymachine.asp?machineid=" & Server.HTMLEncode(machineid) & "'>Go back</a>")
			objConn.Close
			Response.End
		End If

		' Insert new business unit using parameterized query
		Dim sqlNewBU
		sqlNewBU = "INSERT INTO businessunits (businessunit, isactive) VALUES (?, 1)"

		On Error Resume Next
		Dim cmdNewBU
		Set cmdNewBU = Server.CreateObject("ADODB.Command")
		cmdNewBU.ActiveConnection = objConn
		cmdNewBU.CommandText = sqlNewBU
		cmdNewBU.CommandType = 1
		cmdNewBU.Parameters.Append cmdNewBU.CreateParameter("@businessunit", 200, 1, 50, newbusinessunit)
		cmdNewBU.Execute

		If Err.Number <> 0 Then
			Response.Write("<div class='alert alert-danger'>Error creating new business unit: " & Server.HTMLEncode(Err.Description) & "</div>")
			Response.Write("<a href='displaymachine.asp?machineid=" & Server.HTMLEncode(machineid) & "'>Go back</a>")
			objConn.Close
			Response.End
		End If

		' Get the newly created business unit ID
		Dim rsNewBU
		Set rsNewBU = objConn.Execute("SELECT LAST_INSERT_ID() AS newid")
		businessunitid = 0
		If Not rsNewBU.EOF Then
			If Not IsNull(rsNewBU("newid")) Then
				businessunitid = CLng(rsNewBU("newid"))
			End If
		End If
		rsNewBU.Close
		Set rsNewBU = Nothing
		Set cmdNewBU = Nothing
		On Error Goto 0
	End If

	'=============================================================================
	' SECURITY: Handle new machine type creation with parameterized query
	'=============================================================================
	If machinetypeid = "new" Then
		If Len(newmachinetype) = 0 Then
			Response.Write("<div class='alert alert-danger'>New machine type name is required</div>")
			Response.Write("<a href='displaymachine.asp?machineid=" & Server.HTMLEncode(machineid) & "'>Go back</a>")
			objConn.Close
			Response.End
		End If

		If Len(newfunctionalaccountid) = 0 Then
			Response.Write("<div class='alert alert-danger'>Functional account is required for new machine type</div>")
			Response.Write("<a href='displaymachine.asp?machineid=" & Server.HTMLEncode(machineid) & "'>Go back</a>")
			objConn.Close
			Response.End
		End If

		' Handle new functional account creation (nested)
		If newfunctionalaccountid = "new" Then
			If Len(newfunctionalaccount) = 0 Then
				Response.Write("<div class='alert alert-danger'>New functional account name is required</div>")
				Response.Write("<a href='displaymachine.asp?machineid=" & Server.HTMLEncode(machineid) & "'>Go back</a>")
				objConn.Close
				Response.End
			End If

			' Insert new functional account using parameterized query
			Dim sqlNewFA
			sqlNewFA = "INSERT INTO functionalaccounts (functionalaccount, isactive) VALUES (?, 1)"

			On Error Resume Next
			Dim cmdNewFA
			Set cmdNewFA = Server.CreateObject("ADODB.Command")
			cmdNewFA.ActiveConnection = objConn
			cmdNewFA.CommandText = sqlNewFA
			cmdNewFA.CommandType = 1
			cmdNewFA.Parameters.Append cmdNewFA.CreateParameter("@functionalaccount", 200, 1, 50, newfunctionalaccount)
			cmdNewFA.Execute

			If Err.Number <> 0 Then
				Response.Write("<div class='alert alert-danger'>Error creating new functional account: " & Server.HTMLEncode(Err.Description) & "</div>")
				Response.Write("<a href='displaymachine.asp?machineid=" & Server.HTMLEncode(machineid) & "'>Go back</a>")
				objConn.Close
				Response.End
			End If

			' Get the newly created functional account ID
			Dim rsNewFA
			Set rsNewFA = objConn.Execute("SELECT LAST_INSERT_ID() AS newid")
			newfunctionalaccountid = 0
			If Not rsNewFA.EOF Then
				If Not IsNull(rsNewFA("newid")) Then
					newfunctionalaccountid = CLng(rsNewFA("newid"))
				End If
			End If
			rsNewFA.Close
			Set rsNewFA = Nothing
			Set cmdNewFA = Nothing
			On Error Goto 0
		End If

		' Insert new machine type using parameterized query
		Dim sqlNewMT
		sqlNewMT = "INSERT INTO machinetypes (machinetype, machinedescription, functionalaccountid, isactive) VALUES (?, ?, ?, 1)"

		On Error Resume Next
		Dim cmdNewMT
		Set cmdNewMT = Server.CreateObject("ADODB.Command")
		cmdNewMT.ActiveConnection = objConn
		cmdNewMT.CommandText = sqlNewMT
		cmdNewMT.CommandType = 1
		cmdNewMT.Parameters.Append cmdNewMT.CreateParameter("@machinetype", 200, 1, 50, newmachinetype)
		cmdNewMT.Parameters.Append cmdNewMT.CreateParameter("@machinedescription", 200, 1, 255, newmachinedescription)
		cmdNewMT.Parameters.Append cmdNewMT.CreateParameter("@functionalaccountid", 3, 1, , CLng(newfunctionalaccountid))
		cmdNewMT.Execute

		If Err.Number <> 0 Then
			Response.Write("<div class='alert alert-danger'>Error creating new machine type: " & Server.HTMLEncode(Err.Description) & "</div>")
			Response.Write("<a href='displaymachine.asp?machineid=" & Server.HTMLEncode(machineid) & "'>Go back</a>")
			objConn.Close
			Response.End
		End If

		' Get the newly created machine type ID
		Dim rsNewMT
		Set rsNewMT = objConn.Execute("SELECT LAST_INSERT_ID() AS newid")
		machinetypeid = 0
		If Not rsNewMT.EOF Then
			If Not IsNull(rsNewMT("newid")) Then
				machinetypeid = CLng(rsNewMT("newid"))
			End If
		End If
		rsNewMT.Close
		Set rsNewMT = Nothing
		Set cmdNewMT = Nothing
		On Error Goto 0
	End If

	'=============================================================================
	' SECURITY: Handle new model creation with parameterized query
	'=============================================================================
	If modelid = "new" Then
		If Len(newmodelnumber) = 0 Then
			Response.Write("<div class='alert alert-danger'>New model number is required</div>")
			Response.Write("<a href='displaymachine.asp?machineid=" & Server.HTMLEncode(machineid) & "'>Go back</a>")
			objConn.Close
			Response.End
		End If

		If Len(newvendorid) = 0 Then
			Response.Write("<div class='alert alert-danger'>Vendor is required for new model</div>")
			Response.Write("<a href='displaymachine.asp?machineid=" & Server.HTMLEncode(machineid) & "'>Go back</a>")
			objConn.Close
			Response.End
		End If

		' Handle new vendor creation (nested)
		If newvendorid = "new" Then
			If Len(newvendorname) = 0 Then
				Response.Write("<div class='alert alert-danger'>New vendor name is required</div>")
				Response.Write("<a href='displaymachine.asp?machineid=" & Server.HTMLEncode(machineid) & "'>Go back</a>")
				objConn.Close
				Response.End
			End If

			' Insert new vendor using parameterized query
			Dim sqlNewVendor
			sqlNewVendor = "INSERT INTO vendors (vendor, isactive, isprinter, ispc, ismachine) VALUES (?, 1, 0, 0, 1)"

			On Error Resume Next
			Dim cmdNewVendor
			Set cmdNewVendor = Server.CreateObject("ADODB.Command")
			cmdNewVendor.ActiveConnection = objConn
			cmdNewVendor.CommandText = sqlNewVendor
			cmdNewVendor.CommandType = 1
			cmdNewVendor.Parameters.Append cmdNewVendor.CreateParameter("@vendor", 200, 1, 50, newvendorname)
			cmdNewVendor.Execute

			If Err.Number <> 0 Then
				Response.Write("<div class='alert alert-danger'>Error creating new vendor: " & Server.HTMLEncode(Err.Description) & "</div>")
				Response.Write("<a href='displaymachine.asp?machineid=" & Server.HTMLEncode(machineid) & "'>Go back</a>")
				objConn.Close
				Response.End
			End If

			' Get the newly created vendor ID
			Dim rsNewVendor
			Set rsNewVendor = objConn.Execute("SELECT LAST_INSERT_ID() AS newid")
			newvendorid = 0
			If Not rsNewVendor.EOF Then
				If Not IsNull(rsNewVendor("newid")) Then
					newvendorid = CLng(rsNewVendor("newid"))
				End If
			End If
			rsNewVendor.Close
			Set rsNewVendor = Nothing
			Set cmdNewVendor = Nothing
			On Error Goto 0
		End If

		' Set default image if not specified
		If newmodelimage = "" Then
			newmodelimage = "default.png"
		End If

		' Insert new model using parameterized query
		Dim sqlNewModel
		sqlNewModel = "INSERT INTO models (modelnumber, vendorid, image, isactive) VALUES (?, ?, ?, 1)"

		On Error Resume Next
		Dim cmdNewModel
		Set cmdNewModel = Server.CreateObject("ADODB.Command")
		cmdNewModel.ActiveConnection = objConn
		cmdNewModel.CommandText = sqlNewModel
		cmdNewModel.CommandType = 1
		cmdNewModel.Parameters.Append cmdNewModel.CreateParameter("@modelnumber", 200, 1, 255, newmodelnumber)
		cmdNewModel.Parameters.Append cmdNewModel.CreateParameter("@vendorid", 3, 1, , CLng(newvendorid))
		cmdNewModel.Parameters.Append cmdNewModel.CreateParameter("@image", 200, 1, 255, newmodelimage)
		cmdNewModel.Execute

		If Err.Number <> 0 Then
			Response.Write("<div class='alert alert-danger'>Error creating new model: " & Server.HTMLEncode(Err.Description) & "</div>")
			Response.Write("<a href='displaymachine.asp?machineid=" & Server.HTMLEncode(machineid) & "'>Go back</a>")
			objConn.Close
			Response.End
		End If

		' Get the newly created model ID
		Dim rsNewModel
		Set rsNewModel = objConn.Execute("SELECT LAST_INSERT_ID() AS newid")
		modelid = 0
		If Not rsNewModel.EOF Then
			If Not IsNull(rsNewModel("newid")) Then
				modelid = CLng(rsNewModel("newid"))
			End If
		End If
		rsNewModel.Close
		Set rsNewModel = Nothing
		Set cmdNewModel = Nothing
		On Error Goto 0
	End If

	'=============================================================================
	' SECURITY: Update machine using parameterized query
	'=============================================================================
	' Build UPDATE statement with parameterized query
	Dim strSQL, paramCount
	paramCount = 0

	strSQL = "UPDATE machines SET modelnumberid = ?, machinetypeid = ?, businessunitid = ?"
	paramCount = 3

	' Add optional printerid
	If printerid > 0 Then
		strSQL = strSQL & ", printerid = ?"
		paramCount = paramCount + 1
	End If

	' Add optional map coordinates
	If mapleft > 0 And maptop > 0 Then
		strSQL = strSQL & ", mapleft = ?, maptop = ?"
		paramCount = paramCount + 2
	End If

	strSQL = strSQL & " WHERE machineid = ?"

	On Error Resume Next
	Dim cmdUpdate
	Set cmdUpdate = Server.CreateObject("ADODB.Command")
	cmdUpdate.ActiveConnection = objConn
	cmdUpdate.CommandText = strSQL
	cmdUpdate.CommandType = 1

	' Add parameters in order
	cmdUpdate.Parameters.Append cmdUpdate.CreateParameter("@modelnumberid", 3, 1, , CLng(modelid))
	cmdUpdate.Parameters.Append cmdUpdate.CreateParameter("@machinetypeid", 3, 1, , CLng(machinetypeid))
	cmdUpdate.Parameters.Append cmdUpdate.CreateParameter("@businessunitid", 3, 1, , CLng(businessunitid))

	If printerid > 0 Then
		cmdUpdate.Parameters.Append cmdUpdate.CreateParameter("@printerid", 3, 1, , CLng(printerid))
	End If

	If mapleft > 0 And maptop > 0 Then
		cmdUpdate.Parameters.Append cmdUpdate.CreateParameter("@mapleft", 3, 1, , CLng(mapleft))
		cmdUpdate.Parameters.Append cmdUpdate.CreateParameter("@maptop", 3, 1, , CLng(maptop))
	End If

	cmdUpdate.Parameters.Append cmdUpdate.CreateParameter("@machineid", 3, 1, , CLng(machineid))

	cmdUpdate.Execute

	If Err.Number <> 0 Then
		Response.Write("<div class='alert alert-danger'>Error: " & Server.HTMLEncode(Err.Description) & "</div>")
		Response.Write("<a href='displaymachine.asp?machineid=" & Server.HTMLEncode(machineid) & "'>Go back</a>")
		Set cmdUpdate = Nothing
		objConn.Close
		Response.End
	End If

	Set cmdUpdate = Nothing
	On Error Goto 0
%>
<meta http-equiv="refresh" content="0; url=./displaymachine.asp?machineid=<%=Server.HTMLEncode(machineid)%>">
<%
'=============================================================================
' CLEANUP
'=============================================================================
objConn.Close
%>
</div>
</body>
</html>