ansaurus

Question

Answer 1

+2 A:

If you include a file via a string variable: , then depending on how that variable is filled there are possible attacks a hacker could do to include his own files and run arbitrary code on your machine. But as long as you use a string literal, you won't run into this problem.

I would use Master Pages in ASP.NET. This is the accepted way to have common areas of a page.

You would create a Master Page similarly as you would regular pages, then modification of each of the other pages would be minimal. Add a single line to the top of each page file, then specify the sections used.

Aaron 2010-01-29 19:55:42

what's the problem with server-side includes aside from them being old-school?

Yar 2010-01-29 19:59:12

If you eliminate the potential security threats with server-side includes, there's really nothing wrong with them. I just prefer Master Pages and all the useful stuff you can do with them.

Aaron 2010-01-29 20:01:54

Cool thank you, I'm trying not to do anything interesting on this particular project :)... what are the security risks? You have to name them .aspx and that's it?

Yar 2010-01-29 20:10:33

If you include a file via a string variable: ``, then depending on how that variable is filled there are possible attacks a hacker could do to include his own files and run arbitrary code on your machine. But as long as you use a string literal, you won't run into this problem.

Aaron 2010-01-29 20:32:35

cool, could you put that in your answer so I can upvote and mark it best answer please? Though Master Pages are nice and alll...

Yar 2010-01-29 20:37:38

Ask and ye shall receive (though the promise of a best answer certainly doesn't hurt ;))

Aaron 2010-01-29 21:00:00

Thanks Aaron and good luck on SO...

Yar 2010-01-30 01:55:54

Answer 2

+1 A:

No, you most definitely do not need to use fancy .NET web form ways of doing this, if you want to keep it simple. Just put this at the points where you want it inserted:

<!--#include virtual="../repeatStuff/fun.html" -->

The html will show up there. I gave a path one up and down another directory. This is "easiest", but also has the virtue of being very straightforward. Note that this won't show up in your visual designer. (I never use it anyway.)

Patrick Karcher 2010-01-29 20:00:22

Visual designer... what's that? I code with Speech Recognition software in my car only, and then I say, "deploy."

Yar 2010-01-29 20:28:31

So, you just drive back and forth between work? I guess you might stop at work for meetings, then drive home and back to generate code. I myself just have two buttons, for 0's and 1's; that's all I use. I typically code straight to production, to avoid deployment issues.

Patrick Karcher 2010-01-30 12:31:27

Answer 3

+1 A:

I still use includes every once in awhile for exactly the purpose you describe.

You don't really need to register a user control because it's just plain html anyway. And you don't want a master page because it's really just a snippet of html that needs to be on a few select pages.

So I've got includes like this from a glossary of help text files:

<!--#include file="~/Glossary/BusinessDetails.inc"-->

In my opinion there's nothing wrong with using old school include files for this purpose.

Steve Wortham 2010-01-29 20:02:49

cool, thanks for that. to be honest, I'm trying to provoke the do-not-use-include police, because I know that they are out there. But +1 for now :)

Yar 2010-01-29 20:26:23

Answer 4

A:

I don't see anything wrong with "the old school" programming either :)

Jane 2010-01-29 20:47:55

-1: doesn't answer the question.

John Saunders 2010-01-30 11:50:06

ansaurus

tags:

views:

answers:

Problems with Server-side Includes

related questions