By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
425,710 Members | 1,626 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 425,710 IT Pros & Developers. It's quick & easy.

How to call a specific server-side method?

P: n/a
Hi,

I'm just learning how to use the XmlHttpRequest object. Very cool.
However, I'm wondering how I can call a specific server-side method.
For example, say I have a method defined as follows on an ASP.NET
code-behind file

public string GetServerTime()
{
return DateTime.Now.ToShortTimeShort();
}

Would I have to change the request method to POST? Could someone post
an example please? Or can I simply not call a method, and have to call
the method from the Page_Load event?

Nov 3 '05 #1
Share this Question
Share on Google+
7 Replies


P: n/a
Cyphos wrote:
I'm just learning how to use the XmlHttpRequest object. Very cool.
However, I'm wondering how I can call a specific server-side method.
You cannot do that directly.
For example, say I have a method defined as follows on an ASP.NET
code-behind file

public string GetServerTime()
{
return DateTime.Now.ToShortTimeShort();
}

Would I have to change the request method to POST? Could someone post
an example please? Or can I simply not call a method, and have to call
the method from the Page_Load event?


Either question has to be answered with: You have not yet understood how
XMLHTTPRequest works. Here it is in short: it sends a request to a host
which is running a HTTP server, returns information about the request
status and the server reply. Nothing more, nothing less.

So if you want to call a specific server-side method, that has to be done
server-side in an (ASP.NET) application that is executed when the specific
resource is requested, such as

<%@ LANGUAGE = JScript %>
<%= GetServerTime() %>

(Even though the interface is named XMLHttpRequest, you do not need to
return XML content; any output will do.)
HTH

PointedEars
Nov 3 '05 #2

P: n/a
Cyphos wrote:
I'm just learning how to use the XmlHttpRequest object. Very cool.
However, I'm wondering how I can call a specific server-side method.


You would have to construct which would cause the server side script to
execute that method. This is most easily achieved by specifing it in the
query string (and altering the server side script to check that query
string parameter).

--
David Dorward <http://blog.dorward.me.uk/> <http://dorward.me.uk/>
Home is where the ~/.bashrc is
Nov 3 '05 #3

P: n/a
David Dorward wrote:
Cyphos wrote:
I'm just learning how to use the XmlHttpRequest object. Very cool.
However, I'm wondering how I can call a specific server-side method.


You would have to construct which would cause the server side script to
execute that method. This is most easily achieved by specifing it in the
query string (and altering the server side script to check that query
string parameter).


Which of course would be potentially dangerous since an attacker
could then probably execute arbitrary code server-side:

http://foo.bar/baz.asp?delete_all_files%28%29
PointedEars
Nov 3 '05 #4

P: n/a
Thomas 'PointedEars' Lahn said the following on 11/3/2005 4:21 AM:
David Dorward wrote:

Cyphos wrote:
I'm just learning how to use the XmlHttpRequest object. Very cool.
However, I'm wondering how I can call a specific server-side method.


You would have to construct which would cause the server side script to
execute that method. This is most easily achieved by specifing it in the
query string (and altering the server side script to check that query
string parameter).

Which of course would be potentially dangerous since an attacker
could then probably execute arbitrary code server-side:

http://foo.bar/baz.asp?delete_all_files%28%29


Only if you are stupid enough to allow it.

--
Randy
comp.lang.javascript FAQ - http://jibbering.com/faq & newsgroup weekly
Javascript Best Practices - http://www.JavascriptToolbox.com/bestpractices/
Nov 3 '05 #5

P: n/a
VK

Cyphos wrote:
Hi,

I'm just learning how to use the XmlHttpRequest object. Very cool.
However, I'm wondering how I can call a specific server-side method.
For example, say I have a method defined as follows on an ASP.NET
code-behind file

public string GetServerTime()
{
return DateTime.Now.ToShortTimeShort();
}

Would I have to change the request method to POST? Could someone post
an example please? Or can I simply not call a method, and have to call
the method from the Page_Load event?


You can use WebService behavior:
<http://msdn.microsoft.com/library/default.asp?url=/workshop/author/webservice/overview.asp>

Nov 3 '05 #6

P: n/a
Thomas 'PointedEars' Lahn wrote:
You would have to construct which would cause the server side script to
execute that method. This is most easily achieved by specifing it in the
query string (and altering the server side script to check that query
string parameter).
Which of course would be potentially dangerous since an attacker
could then probably execute arbitrary code server-side:

http://foo.bar/baz.asp?delete_all_files%28%29


Easily avoided... Just don't include the code:

if ($action eq "delete_all_files") {
system('rm -rf /');
}
--
David Dorward <http://blog.dorward.me.uk/> <http://dorward.me.uk/>
Home is where the ~/.bashrc is
Nov 4 '05 #7

P: n/a
David Dorward wrote:
Thomas 'PointedEars' Lahn wrote:
You would have to construct which would cause the server side script to
execute that method. This is most easily achieved by specifing it in the
query string (and altering the server side script to check that query
string parameter).

Which of course would be potentially dangerous since an attacker
could then probably execute arbitrary code server-side:

http://foo.bar/baz.asp?delete_all_files%28%29


Easily avoided... Just don't include the code:

if ($action eq "delete_all_files") {
system('rm -rf /');
}


Which proves my point. GET is dangerous here. POST ist less dangerous.
Even less dangerous would be something like a confirmation document or
server-side sessions or ...
PointedEars
Nov 4 '05 #8

This discussion thread is closed

Replies have been disabled for this discussion.