tags:

views:

84

answers:

3
+1  Q: 

Response.Write or plain ol' HTML

Hi there!

What is better coding practice, with speed in mind (Classic ASP):

sPg=sPg& "<select id=""actions"" onchange=""emact(this.value)"">"
sPg=sPg& "<option value=""""></option>"
sPg=sPg& "<option value=""read"">read</option>"
sPg=sPg& "<option value=""unread"">unread</option>"
sPg=sPg& "<option value=""spam"">spam</option>"
sPg=sPg& "<option value=""unspam"">unspam</option>"
sPg=sPg& "<option value=""delete"">delete</option>"
sPg=sPg& "<option value=""undelete"">undelete</option>"

OR

<select id="actions" onchange="emact(this.value)">
<option></option>
<option value="read">read</option>
<option value="unread">unread</option>
<option value="spam">spam</option>
<option value="unspam">unspam</option>
<option value="delete">delete</option>
<option value="undelete">undelete</option>

think this, but on a way larger scale (online store backend written this way almost completely, working on a new version) - I am going convert it all to easy to manage HTML instead of response.write each time, but I just want to know the by doing that, I am not digging myself a hole.

+1  A: 

If you are re-writing why are you going to use 10 year old technology?

(Use the 2nd one.)

Hogan  2010-01-21 22:08:16
This is a fantastic point, however I'm not sure I have a choice...however before we begin I am rooting for a PHP conversion... we'll see.
Eddie  2010-01-21 22:10:01
or .Net if they are already a MS shop. Classic ASP -> .NET is way easy (as microsoft intended) you can pick sections you want to upgrade (as I remember.)
Hogan  2010-01-21 22:11:41
A: 

Wouldn't the argument for using Response.Write over HTML be the same one for parameterizing SQL statements over straight SQL queries? Meaning, to close a few loopholes for possible injection?

John at CashCommons  2010-01-21 22:08:28
You still have to sanitize the user input -- it does not help AFAICT.
Hogan  2010-01-21 22:13:26
(with parameterized sql the server enforces content and will not let the parameter end the current statement -- it also will also cache the execution plan in some cases).
Hogan  2010-01-21 22:14:32
How does Response.Write close any injection loopholes? You still have to call any HTML-encoding function you want manually.
bobince  2010-01-21 22:14:39
I guess it doesn't, then. Not having worked with it, I thought it might do some user input sanitation, but apparently not.
John at CashCommons  2010-01-21 22:21:05
A: 

That's what I would do.

There is absolutely no good reason to go with creating the whole HTML structure through string concatenation, and you will gain a bit of performance by changing to straight HTML.

It would also be more maintainable, as you won't have to worry about escaping quotes and making sure your strings are properly concatenated.

Oded  2010-01-21 22:09:24

related questions

Autosizing Textarea
Regular expression for parsing links from a webpage?
What are good tools for creating compiled HTML help files (.chm)?
Looking for WYSIWYG HTML editor
Any reason not to start using the HTML 5 doctype?
HTML comments break down
HTML Comments Markup
Setting a div's height in HTML with CSS
Wrapping lists into columns
Is a "Confirm Email" input good practice when user changes email address?
<XMP> Tag
HTML version choice
Options for HTML scraping?
How do you disable browser Autocomplete on web form field / input tag?
How do I make a checkbox toggle from clicking on the text label as well?
Html CSS Editor
Wordpress theme development offline tools
How do I give my web sites an icon for iPhone?
In HTML, how to word-break on a dash?
Detecting font in JavaScript
How do you test layout design across multiple browsers/OSs?
How do I print an HTML document from a web service?
Multiple submit buttons on a HTML form
How can I determine a web user's time zone?
Why doesn't the percentage width child in absolutely positioned parent work in IE7?