PLEASE HELP - Passing Variables in Querystring

Nick, i think you mean XSS, not CSS.

<blockquote id="quote" class="ffs">quote:<hr height="1" noshade="noshade" id="quote" />It is strongly recommended that when referring to members of a collection the full name be used. For example, rather than Request.("AUTH_USER") use Request.ServerVariables("AUTH_USER"). This allows the server to locate the item more quickly.<hr height="1" noshade="noshade" id="quote" /></blockquote id="quote">.... and thats straight from the mouth of microsoft.

Request on it's own, will simply get a reference to each collection, in turn.... the code behind the code will set up a loop and error trapping for that loop, and iterate each reference of the collection as well as gawd knows what else (if you've ever seen microsoft code)

Requesting it directly from the collection you expect is absolutly definitly quicker (ok, you dont care about the milli-seconds Nick)

Noone will argue that it is good coding practice to declare variables... to not do so is lazy (which we all are from time to time)
Why then, will you argue that referencing the request object in a lazy way is good coding practice?

__________________
Click the 'Thanks!' button if this post has helped you

Rob - Webforumz Founder

<blockquote id="quote" class="ffs">quote:<hr height="1" noshade="noshade" id="quote" />Originally posted by Smokie
Nick, i think you mean XSS, not CSS.<hr height="1" noshade="noshade" id="quote" /></blockquote id="quote">

Nope

<blockquote id="quote" class="ffs">quote:<hr height="1" noshade="noshade" id="quote" />Originally posted by Rob
<blockquote id="quote" class="ffs">quote:<hr height="1" noshade="noshade" id="quote" />It is strongly recommended that when referring to members of a collection the full name be used. For example, rather than Request.("AUTH_USER") use Request.ServerVariables("AUTH_USER"). This allows the server to locate the item more quickly.<hr height="1" noshade="noshade" id="quote" /></blockquote id="quote">.... and thats straight from the mouth of microsoft.

Request on it's own, will simply get a reference to each collection, in turn.... the code behind the code will set up a loop and error trapping for that loop, and iterate each reference of the collection as well as gawd knows what else (if you've ever seen microsoft code)

Requesting it directly from the collection you expect is absolutly definitly quicker (ok, you dont care about the milli-seconds Nick)

Noone will argue that it is good coding practice to declare variables... to not do so is lazy (which we all are from time to time)
Why then, will you argue that referencing the request object in a lazy way is good coding practice?

<hr height="1" noshade="noshade" id="quote" /></blockquote id="quote">

This has nothing to do with security. It was stated (and you backed up) that it was a security issue. I pointed out that it was wrong.

Obviously it's going to be slower. This wasn't in doubt. What I did state was that this is negligable. Programming is all about the balance between speed of execution and readability and ease of modification of code. I generally lean more to the latter with ASP, as it's hardly the speediest of scripting languages.

In a normal page of execution, using request("...") is hardly going to be a bottleneck in comparision to what else I'll be doing on the page (namely db connections and multiple SQL queries). Infact, I'd go so far as to say it would be noticable down to the millisecond (I find it amusing that ASP itself cannot set up timers at all accurately). And this itself is usually negligable to the connection of the user and the server response speed.

However this is all another conversation which I'm sure has been discussed to death.

This *could be* a security issue in my opinion for applications written by people with
less knowledge than you Nick.

If they were not aware of exactly what is processesed and in what order, or worse still, thought that request("blah") was THE way to access forms, then an EXTRA element of risk has just been introduced.

If you had hidden fields in a form that were needed for instance on the next page to be of certain value, or point to records in a DB, then that could be an issue.... sure, you can argue forms can be altered, even hidden fields, but without knowing it, the developer (in this case) has introduced yet another issue.

I just totally think Nick, that this practice should not be promoted, because I DO think it is bad coding practice and sloppy, and in less knowledgeable hands in the wrong circumstances and depending on what the code is doing, or blah, blah, blah *might* pose an EXTRA security issue (sure, the issue would have been there anyway, but less so).

I dont think I want to endorse this method of accessing objects (other than for debugging) because a) I wouldnt do it myself
b) Not ideal to teach a beginner (given that it is bad coding.. imo)
c) There are faster methods.
d) Depending on the developer, it *may* introduce a bigger risk if one existed to begin with.

Just my opinion of course.... so we'll agree to disagree.

__________________
Click the 'Thanks!' button if this post has helped you

Rob - Webforumz Founder

In the context of this forum, CSS stands for Cascading Style Sheets and XSS stands for Cross Site Scripting... I know you meant cross site scripting but on this forum CSS means Cascading Style Sheets. (this is a web design/development forum!)

Smokie.... could he be talking about injecting HTML/CSS into text fields destined for database?

It may be that.

__________________
Click the 'Thanks!' button if this post has helped you

Rob - Webforumz Founder

Often people refer to Cross Site Scripting as CSS. There has been a lot of confusion with Cascading Style Sheets (CSS) and cross site scripting. Some security people refer to Cross Site Scripting as XSS. If you hear someone say "I found a XSS hole", they are talking about Cross Site Scripting for certain.

CSS and XSS are frequently used interchangably and neither are wrong.... however CSS often causes confusion... so anyway, at least now our users know which one you meant.

__________________
Click the 'Thanks!' button if this post has helped you

Rob - Webforumz Founder

Sorry for the confusion over CSS/XSS. I wasn't aware that you had a naming convention policy :P
[as you say, this is a web design/development forum. Specifically we are in an ASP - development - forum. cross-site scripting is a web development issue.]

I think the confusion is clear, but now resolved.

__________________
Click the 'Thanks!' button if this post has helped you

Rob - Webforumz Founder

<blockquote id="quote" class="ffs">quote:<hr height="1" noshade="noshade" id="quote" />Originally posted by Nick
Sorry for the confusion over CSS/XSS. I wasn't aware that you had a naming convention policy :P
[as you say, this is a web design/development forum. Specifically we are in an ASP - development - forum. cross-site scripting is a web development issue.]<hr height="1" noshade="noshade" id="quote" /></blockquote id="quote">

Yes but for obvious reasons it must be referred to as XSS, to avoid confusion.

Shall I get the boxing gloves out guys?

__________________
Click the 'Thanks!' button if this post has helped you

Rob - Webforumz Founder

I'm confused here Nick. You post as if you are trying to learn ASP, yet you quote 7 years experience. When you are given advice (maybe not 100% fact - but advice) you come back with a barrage of opinions as to why that advice is wrong.

Please try to direct your energies toward helping the original poster rather than point-scoring off the other members on the thread. When two experienced members begin to squabble over minute technical aspects, this causes increased confusion for the original poster.

Agreed.

__________________
Click the 'Thanks!' button if this post has helped you

Rob - Webforumz Founder

just_the_basix are you still following this thread? We *can* still help you!

<blockquote id="quote" class="ffs">quote:<hr height="1" noshade="noshade" id="quote" />Originally posted by D3mon
I'm confused here Nick. You post as if you are trying to learn ASP, yet you quote 7 years experience. When you are given advice (maybe not 100% fact - but advice) you come back with a barrage of opinions as to why that advice is wrong.

Please try to direct your energies toward helping the original poster rather than point-scoring off the other members on the thread. When two experienced members begin to squabble over minute technical aspects, this causes increased confusion for the original poster.<hr height="1" noshade="noshade" id="quote" /></blockquote id="quote">

My post was somewhat tounge-in-cheek. I was trying to make that point that a) we're all still learning, b) quoting your experience isn't proof that opinion was correct. I am willing to learn from others, regardless of their experience.

I wasn't trying to help the original poster. I was questioning your help to the original poster. You suggested that using request("") is what was leading to random errors. I was questioning whether that was correct. I don't think you were helping o/p either, you were offering advice that he was not asking for. I see it frequently in forums that experts with undoubtly years of experience making opinions stated as fact without being questioned, which can then be taken as fact.

No point scoring, no squabbling, not minute technical aspects, no confusion, no boxing gloves. I don't really get uptight about my opinion on correct coding practices. Me just questioning you (and then rob ) on some advice you gave. Don't really see the issue here.

<blockquote id="quote" class="ffs">quote:<hr height="1" noshade="noshade" id="quote" />...You suggested that using request("") is what was leading to random errors...<hr height="1" noshade="noshade" id="quote" /></blockquote id="quote">

...and I still stand by that statement 100%. The fact that the request method is not clearly defined in the code is causing enough confusion that it is not obvious why the random errors are occuring, therefore it is a contributary factor.

i didnt even realise ASP had been around for 7 years...