include virtual ------ variable

Collapse
This topic is closed.
X
X
 
  • Time
  • Show
Clear All
new posts
  • rd

    include virtual ------ variable

    I wanted to do this:
    <!-- #include virtual = <%=request("pag e")%> -->

    But, that's doesn't work. Help?!

    I have a static "container" asp page. Based on a querystring variable, I
    want the container page to include the appropriate content from another file
    in my web space.

    Static includes are cake:
    <!-- #include virtual="filena me.htm" -->
    What if I want "filename" to be a variable, read from querystring?


  • Evertjan.

    #2
    Re: include virtual ------ variable

    rd wrote on 26 aug 2004 in microsoft.publi c.inetserver.as p.general:
    [color=blue]
    > Static includes are cake:
    > <!-- #include virtual="filena me.htm" -->
    > What if I want "filename" to be a variable, read from querystring?
    >[/color]

    You cannot, because #include is executed [read 'included'] before(!!!) the
    asp interpreting.

    Try:

    <%
    Server.execute request.queryst ring("blah.asp" )
    %>

    --
    Evertjan.
    The Netherlands.
    (Please change the x'es to dots in my emailaddress,
    but let us keep the discussions in the newsgroup)

    Comment

    • rd

      #3
      Re: include virtual ------ variable

      Thank you! I figured the order of execution was the reason. Didn't know
      about server.execute.

      This works:
      server.execute( request("pg"))

      When I refer to mypage.asp?pg=w hatever.htm, it includes whatever.htm the way
      I wanted.

      Thanks again.

      -rd



      "Evertjan." <exjxw.hannivoo rt@interxnl.net > wrote in message
      news:Xns9551EFF 30A355eejj99@19 4.109.133.29...[color=blue]
      > rd wrote on 26 aug 2004 in microsoft.publi c.inetserver.as p.general:
      >[color=green]
      > > Static includes are cake:
      > > <!-- #include virtual="filena me.htm" -->
      > > What if I want "filename" to be a variable, read from querystring?
      > >[/color]
      >
      > You cannot, because #include is executed [read 'included'] before(!!!) the
      > asp interpreting.
      >
      > Try:
      >
      > <%
      > Server.execute request.queryst ring("blah.asp" )
      > %>
      >
      > --
      > Evertjan.
      > The Netherlands.
      > (Please change the x'es to dots in my emailaddress,
      > but let us keep the discussions in the newsgroup)
      >[/color]


      Comment

      • Evertjan.

        #4
        Re: include virtual ------ variable

        rd wrote on 26 aug 2004 in microsoft.publi c.inetserver.as p.general:
        [color=blue]
        > Thank you! I figured the order of execution was the reason. Didn't
        > know about server.execute.
        >
        > This works:
        > server.execute( request("pg"))
        >
        > When I refer to mypage.asp?pg=w hatever.htm, it includes whatever.htm
        > the way I wanted.[/color]

        Beware, this will not always execute the file you wanted.

        The joy of serversidedness [like singlemindednes s ;-) ] is that you have
        perfect control without the client interfering.

        And now you give away the key of your include back to the client, so any
        hacker can include another file of yours, possibly even opening a way to
        sql-injection and corrupting your database, if you are using databases.

        Furthermore [if you are stil determined to do it this way] always use:
        request.queryst ring("pg")), otherwise if the querystring 'pg' is not
        found, a cookie or any other request variable could be read.

        So why not restrict the choices to the ones you think are safe:

        r = request.queryst ring("pg")
        if r="whatever.htm " or r="whateverelse .htm" then
        server.execute( r)
        else
        response.write "Hacker !":response. end
        end if

        --
        Evertjan.
        The Netherlands.
        (Please change the x'es to dots in my emailaddress,
        but let us keep the discussions in the newsgroup)

        Comment

        Working...