Cookie to textbox?

V

vbMark

What am I doing wrong here?

<%
UserID = Request.Cookies("emu")("UserID")
%>

<TABLE>
<TR>
<TD>UserID: <INPUT id=UserID value="<%=UserID%>"></TD>
</TR>
</TABLE>

The textbox shows <%=UserID%> and not the value.

Any ideas?

Thanks!
 
V

vbMark

Code looks good to me, what is the value in the cookie?
Click to expand...

Sorry, it was just showing wrong in InterDev's Quick View. It works fine
when viewed in the web browser.

Thanks.
 
M

Manohar Kamath

That's what I thought... Quick view is an HTML view of the page, and the
page is not "executed"
 
E

Evertjan.

Curt_C [MVP] wrote on 11 okt 2004 in
microsoft.public.inetserver.asp.general:
<TD>UserID: <INPUT id=UserID value="<%=UserID%>"></TD>

should be

<TD>UserID: <INPUT id=UserID value=<%=UserID%>></TD>
Click to expand...

This is a bad advice as it will go wrong if UserID contains an inside space
 
D

Dave Anderson

vbMark said:
What am I doing wrong here?

UserID = Request.Cookies("emu")("UserID")
...
<INPUT id=UserID value="<%=UserID%>">
Click to expand...

Never mind QuickView, two other potential problems leap to mind:

1. Storing UserID as a cookie suggests a poor security model
unless this is just a device of convenience similar to the
way the Windows login prompt stores that Login ID of the
last person to log in

2. Unless you are in complete control of the range of possible
values for UserID, it might not hurt to display it like
this:

<INPUT id=UserID value="<%=Server.HTMLEncode(UserID)%>">


--
Dave Anderson

Unsolicited commercial email will be read at a cost of $500 per message. Use
of this email address implies consent to these terms. Please do not contact
me directly or ask me to contact you directly for assistance. If your
question is worth asking, it's worth posting.
 
V

vbMark

Never mind QuickView, two other potential problems leap to mind:

1. Storing UserID as a cookie suggests a poor security model
unless this is just a device of convenience similar to the
way the Windows login prompt stores that Login ID of the
last person to log in
Click to expand...

This is just for our developers and testers.
2. Unless you are in complete control of the range of possible
values for UserID, it might not hurt to display it like
this:

<INPUT id=UserID value="<%=Server.HTMLEncode(UserID)%>">
Click to expand...

Why, what does this do?
 
D

Dave Anderson

vbMark said:
Why, what does this do?
Click to expand...

It HTMLEncodes the value, which is how you protect your HTML from being
inadvertantly broken by characters like this:

" ><&
^^^^^

Generally not a big issue for UserIDs, I agree. But if you let your users
choose their own IDs, what happens when someone chooses [The "Dude"] ? Your
subsequent HTML:

<input id="UserID" value="The "Dude"">


Know thy data.


--
Dave Anderson

Unsolicited commercial email will be read at a cost of $500 per message. Use
of this email address implies consent to these terms. Please do not contact
me directly or ask me to contact you directly for assistance. If your
question is worth asking, it's worth posting.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Getting extra blank rows from appending HTML..? 2
Bean Creation Exception in Springboot 0
Javascript DOM 1
Can someone tell me if this a real tracker? Or is it one designed to show you a different message at certain times, ie. acting like one? 0
Updating Inventory using First In First out(FIFO) 1
Loop through record in datareader in aspx for textbox other item 1
How to save JSON Data to a file using fetch() api? 2
Script to send email not working 1

Members online

Total: 44 (members: 1, guests: 43)
Robots: 317

Forum statistics

Threads
473,755
Messages
2,569,536
Members
45,007
Latest member
obedient dusk

Latest Threads

Top