rd wrote on 26 aug 2004 in microsoft.public.inetserver.asp.general:
Thank you! I figured the order of execution was the reason. Didn't
know about server.execute.
This works:
server.execute(request("pg"))
When I refer to mypage.asp?pg=whatever.htm, it includes whatever.htm
the way I wanted.
Beware, this will not always execute the file you wanted.
The joy of serversidedness [like singlemindedness ;-) ] is that you have
perfect control without the client interfering.
And now you give away the key of your include back to the client, so any
hacker can include another file of yours, possibly even opening a way to
sql-injection and corrupting your database, if you are using databases.
Furthermore [if you are stil determined to do it this way] always use:
request.querystring("pg")), otherwise if the querystring 'pg' is not
found, a cookie or any other request variable could be read.
So why not restrict the choices to the ones you think are safe:
r = request.querystring("pg")
if r="whatever.htm" or r="whateverelse.htm" then
server.execute(r)
else
response.write "Hacker !":response.end
end if
--
Evertjan.
The Netherlands.
(Please change the x'es to dots in my emailaddress,
but let us keep the discussions in the newsgroup)
