shopdb/updatelink_direct.asp

<%
'=============================================================================
' FILE: updatelink_direct.asp
' PURPOSE: Update knowledge base article with nested entity creation (topic, support team, app owner)
' SECURITY: Parameterized queries, HTML encoding, input validation
' UPDATED: 2025-10-27 - Migrated to secure patterns
'=============================================================================
%>
<!--#include file="./includes/sql.asp"-->
<%
' Get form inputs for KB article
Dim linkid, linkurl, shortdescription, keywords, appid
linkid = Trim(Request.Form("linkid"))
linkurl = Trim(Request.Form("linkurl"))
shortdescription = Trim(Request.Form("shortdescription"))
keywords = Trim(Request.Form("keywords"))
appid = Trim(Request.Form("appid"))

' Get form inputs for new topic
Dim newappname, newappdescription, newsupportteamid
Dim newapplicationnotes, newinstallpath, newdocumentationpath, newisactive
newappname = Trim(Request.Form("newappname"))
newappdescription = Trim(Request.Form("newappdescription"))
newsupportteamid = Trim(Request.Form("newsupportteamid"))
newapplicationnotes = Trim(Request.Form("newapplicationnotes"))
newinstallpath = Trim(Request.Form("newinstallpath"))
newdocumentationpath = Trim(Request.Form("newdocumentationpath"))
newisactive = Request.Form("newisactive")

' Get form inputs for new support team
Dim newsupportteamname, newsupportteamurl, newappownerid
newsupportteamname = Trim(Request.Form("newsupportteamname"))
newsupportteamurl = Trim(Request.Form("newsupportteamurl"))
newappownerid = Trim(Request.Form("newappownerid"))

' Get form inputs for new app owner
Dim newappownername, newappownersso
newappownername = Trim(Request.Form("newappownername"))
newappownersso = Trim(Request.Form("newappownersso"))

' Basic validation
If linkid = "" Or Not IsNumeric(linkid) Then
	Response.Write("Invalid link ID")
	objConn.Close
	Response.End
End If

If CLng(linkid) < 1 Then
	Response.Write("Invalid link ID")
	objConn.Close
	Response.End
End If

If Len(linkurl) = 0 Or Len(shortdescription) = 0 Or Len(appid) = 0 Then
	Response.Write("Required fields missing")
	objConn.Close
	Response.End
End If

If Len(linkurl) > 2000 Or Len(shortdescription) > 500 Or Len(keywords) > 500 Then
	Response.Write("Field length exceeded")
	objConn.Close
	Response.End
End If

' Handle new topic creation
If appid = "new" Then
	If Len(newappname) = 0 Then
		Response.Write("New topic name is required")
		objConn.Close
		Response.End
	End If

	If Len(newsupportteamid) = 0 Then
		Response.Write("Support team is required for new topic")
		objConn.Close
		Response.End
	End If

	' Validate field lengths for new topic
	If Len(newappname) > 50 Or Len(newappdescription) > 255 Or Len(newapplicationnotes) > 512 Or Len(newinstallpath) > 255 Or Len(newdocumentationpath) > 512 Then
		Response.Write("New topic field length exceeded")
		objConn.Close
		Response.End
	End If

	' Handle new support team creation (nested)
	If newsupportteamid = "new" Then
		If Len(newsupportteamname) = 0 Then
			Response.Write("New support team name is required")
			objConn.Close
			Response.End
		End If

		If Len(newappownerid) = 0 Then
			Response.Write("App owner is required for new support team")
			objConn.Close
			Response.End
		End If

		If Len(newsupportteamname) > 50 Or Len(newsupportteamurl) > 512 Then
			Response.Write("New support team field length exceeded")
			objConn.Close
			Response.End
		End If

		' Handle new app owner creation (doubly nested)
		If newappownerid = "new" Then
			If Len(newappownername) = 0 Or Len(newappownersso) = 0 Then
				Response.Write("App owner name and SSO are required")
				objConn.Close
				Response.End
			End If

			If Len(newappownername) > 50 Or Len(newappownersso) > 255 Then
				Response.Write("App owner field length exceeded")
				objConn.Close
				Response.End
			End If

			' Insert new app owner using parameterized query
			Dim sqlNewOwner, cmdNewOwner
			sqlNewOwner = "INSERT INTO appowners (appowner, sso, isactive) VALUES (?, ?, 1)"
			Set cmdNewOwner = Server.CreateObject("ADODB.Command")
			cmdNewOwner.ActiveConnection = objConn
			cmdNewOwner.CommandText = sqlNewOwner
			cmdNewOwner.CommandType = 1
			cmdNewOwner.Parameters.Append cmdNewOwner.CreateParameter("@appowner", 200, 1, 50, newappownername)
			cmdNewOwner.Parameters.Append cmdNewOwner.CreateParameter("@sso", 200, 1, 255, newappownersso)

			On Error Resume Next
			cmdNewOwner.Execute

			If Err.Number <> 0 Then
				Response.Write("Error creating new app owner: " & Server.HTMLEncode(Err.Description))
				Set cmdNewOwner = Nothing
				objConn.Close
				Response.End
			End If

			' Get the newly created app owner ID
			Dim rsNewOwner
			Set rsNewOwner = objConn.Execute("SELECT LAST_INSERT_ID() AS newid")
			newappownerid = rsNewOwner("newid")
			rsNewOwner.Close
			Set rsNewOwner = Nothing
			Set cmdNewOwner = Nothing
			On Error Goto 0
		End If

		' Insert new support team using parameterized query
		Dim sqlNewTeam, cmdNewTeam
		sqlNewTeam = "INSERT INTO supportteams (teamname, teamurl, appownerid, isactive) VALUES (?, ?, ?, 1)"
		Set cmdNewTeam = Server.CreateObject("ADODB.Command")
		cmdNewTeam.ActiveConnection = objConn
		cmdNewTeam.CommandText = sqlNewTeam
		cmdNewTeam.CommandType = 1
		cmdNewTeam.Parameters.Append cmdNewTeam.CreateParameter("@teamname", 200, 1, 50, newsupportteamname)
		cmdNewTeam.Parameters.Append cmdNewTeam.CreateParameter("@teamurl", 200, 1, 512, newsupportteamurl)
		cmdNewTeam.Parameters.Append cmdNewTeam.CreateParameter("@appownerid", 3, 1, , CLng(newappownerid))

		On Error Resume Next
		cmdNewTeam.Execute

		If Err.Number <> 0 Then
			Response.Write("Error creating new support team: " & Server.HTMLEncode(Err.Description))
			Set cmdNewTeam = Nothing
			objConn.Close
			Response.End
		End If

		' Get the newly created support team ID
		Dim rsNewTeam
		Set rsNewTeam = objConn.Execute("SELECT LAST_INSERT_ID() AS newid")
		newsupportteamid = rsNewTeam("newid")
		rsNewTeam.Close
		Set rsNewTeam = Nothing
		Set cmdNewTeam = Nothing
		On Error Goto 0
	End If

	' Convert isactive checkbox
	Dim isActiveValue
	If newisactive = "1" Then
		isActiveValue = 1
	Else
		isActiveValue = 0
	End If

	' Insert new application/topic using parameterized query
	Dim sqlNewApp, cmdNewApp
	sqlNewApp = "INSERT INTO applications (appname, appdescription, supportteamid, applicationnotes, installpath, documentationpath, isactive, isinstallable, ishidden, isprinter, islicenced) " & _
	            "VALUES (?, ?, ?, ?, ?, ?, ?, 0, 0, 0, 0)"
	Set cmdNewApp = Server.CreateObject("ADODB.Command")
	cmdNewApp.ActiveConnection = objConn
	cmdNewApp.CommandText = sqlNewApp
	cmdNewApp.CommandType = 1
	cmdNewApp.Parameters.Append cmdNewApp.CreateParameter("@appname", 200, 1, 50, newappname)
	cmdNewApp.Parameters.Append cmdNewApp.CreateParameter("@appdescription", 200, 1, 255, newappdescription)
	cmdNewApp.Parameters.Append cmdNewApp.CreateParameter("@supportteamid", 3, 1, , CLng(newsupportteamid))
	cmdNewApp.Parameters.Append cmdNewApp.CreateParameter("@applicationnotes", 200, 1, 512, newapplicationnotes)
	cmdNewApp.Parameters.Append cmdNewApp.CreateParameter("@installpath", 200, 1, 255, newinstallpath)
	cmdNewApp.Parameters.Append cmdNewApp.CreateParameter("@documentationpath", 200, 1, 512, newdocumentationpath)
	cmdNewApp.Parameters.Append cmdNewApp.CreateParameter("@isactive", 11, 1, , CBool(isActiveValue))

	On Error Resume Next
	cmdNewApp.Execute

	If Err.Number <> 0 Then
		Response.Write("Error creating new topic: " & Server.HTMLEncode(Err.Description))
		Set cmdNewApp = Nothing
		objConn.Close
		Response.End
	End If

	' Get the newly created topic ID
	Dim rsNewApp
	Set rsNewApp = objConn.Execute("SELECT LAST_INSERT_ID() AS newid")
	appid = rsNewApp("newid")
	rsNewApp.Close
	Set rsNewApp = Nothing
	Set cmdNewApp = Nothing
	On Error Goto 0
End If

' UPDATE knowledge base article using parameterized query
Dim strSQL, cmdUpdate
strSQL = "UPDATE knowledgebase SET linkurl = ?, shortdescription = ?, keywords = ?, appid = ?, lastupdated = NOW() WHERE linkid = ?"
Set cmdUpdate = Server.CreateObject("ADODB.Command")
cmdUpdate.ActiveConnection = objConn
cmdUpdate.CommandText = strSQL
cmdUpdate.CommandType = 1
cmdUpdate.Parameters.Append cmdUpdate.CreateParameter("@linkurl", 200, 1, 2000, linkurl)
cmdUpdate.Parameters.Append cmdUpdate.CreateParameter("@shortdescription", 200, 1, 500, shortdescription)
cmdUpdate.Parameters.Append cmdUpdate.CreateParameter("@keywords", 200, 1, 500, keywords)
cmdUpdate.Parameters.Append cmdUpdate.CreateParameter("@appid", 3, 1, , CLng(appid))
cmdUpdate.Parameters.Append cmdUpdate.CreateParameter("@linkid", 3, 1, , CLng(linkid))

On Error Resume Next
cmdUpdate.Execute

If Err.Number = 0 Then
	Set cmdUpdate = Nothing
	objConn.Close
	Response.Redirect("displayknowledgearticle.asp?linkid=" & linkid & "&status=updated")
Else
	Set cmdUpdate = Nothing
	objConn.Close
	Response.Redirect("displayknowledgearticle.asp?linkid=" & linkid & "&status=error&msg=" & Server.URLEncode("Error: " & Server.HTMLEncode(Err.Description)))
End If
%>