include virtual ------ variable

R

rd

I wanted to do this:
<!-- #include virtual = <%=request("page")%> -->

But, that's doesn't work. Help?!

I have a static "container" asp page. Based on a querystring variable, I
want the container page to include the appropriate content from another file
in my web space.

Static includes are cake:
<!-- #include virtual="filename.htm" -->
What if I want "filename" to be a variable, read from querystring?
 
E

Evertjan.

rd wrote on 26 aug 2004 in microsoft.public.inetserver.asp.general:
Static includes are cake:
<!-- #include virtual="filename.htm" -->
What if I want "filename" to be a variable, read from querystring?

You cannot, because #include is executed [read 'included'] before(!!!) the
asp interpreting.

Try:

<%
Server.execute request.querystring("blah.asp")
%>
 
R

rd

Thank you! I figured the order of execution was the reason. Didn't know
about server.execute.

This works:
server.execute(request("pg"))

When I refer to mypage.asp?pg=whatever.htm, it includes whatever.htm the way
I wanted.

Thanks again.

-rd



Evertjan. said:
rd wrote on 26 aug 2004 in microsoft.public.inetserver.asp.general:
Static includes are cake:
<!-- #include virtual="filename.htm" -->
What if I want "filename" to be a variable, read from querystring?

You cannot, because #include is executed [read 'included'] before(!!!) the
asp interpreting.

Try:

<%
Server.execute request.querystring("blah.asp")
%>

--
Evertjan.
The Netherlands.
(Please change the x'es to dots in my emailaddress,
but let us keep the discussions in the newsgroup)
 
E

Evertjan.

rd wrote on 26 aug 2004 in microsoft.public.inetserver.asp.general:
Thank you! I figured the order of execution was the reason. Didn't
know about server.execute.

This works:
server.execute(request("pg"))

When I refer to mypage.asp?pg=whatever.htm, it includes whatever.htm
the way I wanted.

Beware, this will not always execute the file you wanted.

The joy of serversidedness [like singlemindedness ;-) ] is that you have
perfect control without the client interfering.

And now you give away the key of your include back to the client, so any
hacker can include another file of yours, possibly even opening a way to
sql-injection and corrupting your database, if you are using databases.

Furthermore [if you are stil determined to do it this way] always use:
request.querystring("pg")), otherwise if the querystring 'pg' is not
found, a cookie or any other request variable could be read.

So why not restrict the choices to the ones you think are safe:

r = request.querystring("pg")
if r="whatever.htm" or r="whateverelse.htm" then
server.execute(r)
else
response.write "Hacker !":response.end
end if
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Members online

No members online now.

Forum statistics

Threads
473,744
Messages
2,569,484
Members
44,903
Latest member
orderPeak8CBDGummies

Latest Threads

Top