| T O P I C R E V I E W |
| Podge |
Posted - 20 September 2005 : 17:15:06
Not sure if I should have posted this on the main forum or not so I thought I would post it here first and then move it if necessary.
I'm pretty sure that this line brought down one of my servers twice.
if request("ARCHIVE") = "true" then <-- this line here
strActivePrefix = strTablePrefix & "A_"
ArchiveView = "true"
else
strActivePrefix = strTablePrefix
ArchiveView = ""
end if
Should it not be - if request.QueryString("ARCHIVE") = "true" then
I have about five instance of this in the event logs
Error: File /post_info.asp Line 46 Operation not Allowed. .
Then this
Faulting application w3wp.exe, version 6.0.3790.1830, faulting module unknown, version 0.0.0.0, fault address 0x00000103.
Then finally this
ISAPI 'C:\WINDOWS\system32\inetsrv\asp.dll' reported itself as unhealthy for the following reason: 'ASP unhealthy because 100% of executing requests are hung and 0% of the request queue is full.'.
If the QueryString method is left out it appears that a malicious user could send any type of object to post_info.asp named "ARCHIVE" like a huge binary file, etc. which the server would accept.
What do you guys think?
< |
| 15 L A T E S T R E P L I E S (Newest First) |
| Podge |
Posted - 21 September 2005 : 19:39:32
You would expect that because request("ARCHIVE") is used twice that it would "cost" twice as much but in truth it only costs slightly more. I read something somewhere a long time ago that stated that the second time you search the collection isn't as cpu intensive as the first.
I doubt I will be able to get conclusive proof that that line is to blame for IIS crapping out. In my view it could only have been a (small) contributing factor at most but at least I can eliminate it now. I'll update this thread if I find anything.
Thanks for your help, Huwr.< |
| HuwR |
Posted - 21 September 2005 : 19:11:33
quote:
In topic.asp when request("ARCHIVE") is specified in the code and ARCHIVE=true does not exist as a querystring IIS will check all 5 collections. Thats a performance hit every time topic.asp is viewed. Servervariables is the most expensive to query cpuwise as IIS has to retrieve a lot of data to respond e.g. http_host, server_name, etc. If querying all 5 collections can be avoided I think it should be.
That is a fair point, and one I hadn't considered,it actually checks it twice if it doesn't equal true  , now what would be interesting is to see what kind of difference it does make.< |
| Podge |
Posted - 21 September 2005 : 13:57:24
quote:
mlev is not stored in your cookie by the way.
Well done . There not a lot than can get past you Huwr!
quote:
Yes, it will check them all, but since this is down.asp performance is not really an issue.
In topic.asp when request("ARCHIVE") is specified in the code and ARCHIVE=true does not exist as a querystring IIS will check all 5 collections. Thats a performance hit every time topic.asp is viewed. Servervariables is the most expensive to query cpuwise as IIS has to retrieve a lot of data to respond e.g. http_host, server_name, etc. If querying all 5 collections can be avoided I think it should be.< |
| HuwR |
Posted - 21 September 2005 : 13:56:11
In any case, I can't see that this would be the cause of your crashing, it is just going to take a fraction of a second longer to parse the request object, to get a value or the entire object if a value does not exist, it isn't doing anything that would cause it to crash< |
| HuwR |
Posted - 21 September 2005 : 13:43:19
Yes, it will check them all, but since this is down.asp performance is not really an issue.
mlev is not stored in your cookie by the way.< |
| Podge |
Posted - 21 September 2005 : 13:30:08
Using the mlev example in down.asp will the code not check all 5 collections if mlev is not present as a querystring or as a cookie (as will be the case for most users viewing down.asp)?
If you explictly state request.querystring and request.cookies it will only check two collections.
< |
| HuwR |
Posted - 21 September 2005 : 12:57:49
and just because MS recommends you do something one way does not make it "bad" to do it another< |
| HuwR |
Posted - 21 September 2005 : 12:44:38
quote:
Originally posted by Podge
I understand your point of view Huwr, mine just differs from you.
Microsoft strongly recommend specifying the sub collection here -
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/iissdk/html/9768ecfe-8280-4407-b9c0-844f75508752.asp
quote:
It is strongly recommended that when referring to members of a collection the full name be used. For example, rather than Request.("AUTH_USER") use Request.ServerVariables("AUTH_USER"). This allows the server to locate the item more quickly.
I'm afraid you picked a bad example, it is quicker here because AUTH_USER is in the servervariables collection which means that it will have to parse through querystring and the form before getting to servervariables, so obviously it is quicker, however in the two instances you quote from Snitz, we want to get the value either from the querystring or the form, so there is NO difference in the speed at which it retrieves the value if you use request("myvalue") or if you use (request.querystring("myvalue") or request.form("myvalue")) in fact if the value is in the querystring then just using request("myvalue") will actually be faster since it doesn't check the form collection, which you do when having to use the querystring OR form method quote:
quote:
biggest culprit for crapping out asp is Access databases I'm afraid
The sql oledb provider is the only database driver being used.
Then it could be anything, and maybe nothing , I have had sites that persistently caused IIS to crash, but when moved to another pretty identical server behaved perfectly happily, ASP & IIS is a bit of a hit and miss affair in general I'm afraid< |
| Podge |
Posted - 21 September 2005 : 12:00:31
I understand your point of view Huwr, mine just differs from you.
Microsoft strongly recommend specifying the sub collection here -
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/iissdk/html/9768ecfe-8280-4407-b9c0-844f75508752.asp
quote:
It is strongly recommended that when referring to members of a collection the full name be used. For example, rather than Request.("AUTH_USER") use Request.ServerVariables("AUTH_USER"). This allows the server to locate the item more quickly.
quote:
biggest culprit for crapping out asp is Access databases i'm afraid
The sql oledb provider is the only database driver being used.< |
| HuwR |
Posted - 21 September 2005 : 09:26:39
quote:
1. Why would you want to have the system search for it when you can explicitly state where the collection is available (less work for the server)
As I pointed out above, it is not, both examples you site could be in either the querystring or the form collection, so request("member") is both neater and less code than using request.querstring("member") or request.form("member") and in this instance will not be any slower or quicker.
quote:
2. Its less readable and bad programming practice. It wouldn't be such a burden to do it properly.
Again for the same reasons I disagree, who says it is "Bad" programming practice ???????
quote:
Any idea whats happening in my first post? The server is using about 10% cpu on average and have about 1.5 GB free memory. I still believe its more of an IIS issue and has little to do with Snitz.
In my own experience dealing with asp & IIS, the errors you are getting are a consequence of asp having crashed rather than the actual cause, biggest culprit for crapping out asp is Access databases i'm afraid, ADO has many memory leaks and the Jet drivers are one of the worst culprits for clogging up a web server.
< |
| Podge |
Posted - 21 September 2005 : 07:59:45
Thanks Huwr for your input, I have changed the subject of this topic.
These are the reasons I would change it to the fully qualified sub collection.
1. Why would you want to have the system search for it when you can explicitly state where the collection is available (less work for the server)
2. Its less readable and bad programming practice. It wouldn't be such a burden to do it properly.
Any idea whats happening in my first post? The server is using about 10% cpu on average and have about 1.5 GB free memory. I still believe its more of an IIS issue and has little to do with Snitz.< |
| HuwR |
Posted - 21 September 2005 : 07:32:52
quote:
Then it should be
if Request.QueryString("ARCHIVE") = true or Request.Form("ARCHIVE") = true
It does not matter, there is no security problem with this, and since querystring and form are the first two in the collection there is no real speed issue either, and it is less code to say request("ARCHIVE")< |
| Podge |
Posted - 21 September 2005 : 06:29:03
quote:
Actually no it shouldn't be request.QueryString("ARCHIVE") , the value of ARCHIVE may come in the querystring or the form post, hence the reason it only specifies the request object.
Then it should be
if Request.QueryString("ARCHIVE") = true or Request.Form("ARCHIVE") = true< |
| Podge |
Posted - 21 September 2005 : 05:30:04
Request("mlev") was cited as an example not as a security risk.
I won't know what happened exactly until I can go through the logs.< |
| HuwR |
Posted - 20 September 2005 : 20:45:50
quote:
down.asp ignores the cookie value, takes the querystring value and displays the admin area login & password boxes to a normal user.
so what, you still need to login, so how is it a security risk, making it say request.querystring("mlev") would make absolutely no difference to your scenario, and once again, down.asp can be called via the querystring or from a form post so again needs to check both methods. and what does it have to do with request("ARCHIVE") anyway< |
