Author |
Topic  |
davemaxwell
Access 2000 Support Moderator
    
USA
3020 Posts |
Posted - 17 October 2002 : 11:08:05
|
The problem with that is like in the search page, you can search just one forum, which is passed in the querystring. But the rest comes from the form (I think, don't have the code in front of me - the forumID might get moved into a form field before searching...). What I would prefer is a function that searches the querystring first, then if nothing is there, it hits the form. Just so it only hits those two object types and not all eight. |
Dave Maxwell Barbershop Harmony Freak |
 |
|
GauravBhabu
Advanced Member
    
4288 Posts |
Posted - 17 October 2002 : 11:16:29
|
quote: Originally posted by davemaxwell
The problem with that is like in the search page, you can search just one forum, which is passed in the querystring. But the rest comes from the form (I think, don't have the code in front of me - the forumID might get moved into a form field before searching...). .
forum - forumid I guess you referring to search.asp.
quote: What I would prefer is a function that searches the querystring first, then if nothing is there, it hits the form. Just so it only hits those two object types and not all eight
This part does that
sub InitRequestVars()
dim objRequest
if Request.QueryString <> "" then
Set objRequest = Request.QueryString
else
Set objRequest = Request.Form
end if |
Edited by - GauravBhabu on 17 October 2002 11:19:52 |
 |
|
davemaxwell
Access 2000 Support Moderator
    
USA
3020 Posts |
Posted - 17 October 2002 : 11:20:43
|
Yeah. like if I go into the Community:Announcements forum and click the search button, this is the URL http://forum.snitz.com/forum/search.asp?FORUM_ID=20
That will only search for posts matching the criteria in that Forum_ID, not the entire forum......never mind. I see how it does it. It presets the search in forum: box with appropriate forum. NEVER MIND.... |
Dave Maxwell Barbershop Harmony Freak |
 |
|
GauravBhabu
Advanced Member
    
4288 Posts |
Posted - 17 October 2002 : 11:43:49
|
Here is what I did members.asp Lines 74-101 Replaced with following statements
dim SortMethod, strSortMethod, strSortMethod2
dim strMode
dim SearchName
dim srchUName, srchFName, srchLName, srchInitial
if ((Request.Form = "") And (Request.QueryString = "")) then
strMode = "" : SearchName = ""
srchUName = "" : srchFName = ""
srchLName = "" : srchInitial = ""
else
Call InitRequestVars()
end if
Added the following functions to members.asp <edit>sub InitRequestVars()
dim objRequest
if Request.Form("mode") = "search" then
Set objRequest = Request.Form
else
Set objRequest = Request.Querystring
end if
SortMethod = Trim(objRequest("method"))
strMode = (objRequest("mode"))
SearchName = objRequest("M_NAME")
srchUName = objRequest("UserName")
srchFName = objRequest("FirstName")
srchLName = objRequest("LastName")
srchInitial = objRequest("INITIAL")
Set objRequest = Nothing
Rem -Sort Method
if SortMethod <> "" then
SortMethod = Trim(chkString(SortMethod, "SQLString"))
strSortMethod = "&method=" & SortMethod
strSortMethod2 = "?method=" & SortMethod
end if
strMode = Trim(chkString(strMode, "SQLString"))
if strMode <> "search" then strMode = ""
Rem -Search For
SearchName = Trim(chkString(SearchName, "SQLString"))
Rem -Find Match in Username
if srchUName <> "" then srchUName = CheckNumeric(srchUName, "1")
Rem -Find Match in FirstName
if srchFName <> "" then srchFName = CheckNumeric(srchFName, "0")
Rem -Find Match in LastName
if srchLName <> "" then srchLName = CheckNumeric(srchLName, "0")
Rem -Match Initial
if srchInitial <> "" then srchInitial = CheckNumeric(srchInitial, "0")
end sub
function CheckNumeric(lngNumber, strNumber)
if IsNumeric(lngNumber) then
CheckNumeric = cLng(lngNumber)
else
CheckNumeric = strNumber
end if
end function
DEMO HERE username: snitz password: snitz |
Edited by - GauravBhabu on 18 October 2002 01:18:08 |
 |
|
HuwR
Forum Admin
    
United Kingdom
20595 Posts |
Posted - 17 October 2002 : 12:21:20
|
quote:
quote:
SearchName = trim(chkString(Request("M_NAME"), "SQLString")) if SearchName = "" then SearchName = trim(chkString(Request.Form("M_NAME"), "SQLString")) end if
Uhhmmmm...if it can't find it in the generic request object on the first check, it's not going to find it in the request.form object since the generic checks request.form.
That was the point I was trying to make, if you do this SearchName = trim(chkString(Request("M_NAME"), "SQLString")) then the if then statement is just a waste of code. |
 |
|
GauravBhabu
Advanced Member
    
4288 Posts |
Posted - 17 October 2002 : 15:09:36
|
quote: Originally posted by HuwR
...That was the point I was trying to make, if you do this SearchName = trim(chkString(Request("M_NAME"), "SQLString")) then the if then statement is just a waste of code.
It is not that I have not understood your point. Infact that was my initial thought also. But Consider the point in my post Here and solutions Solution #1 Solution #2 |
 |
|
HuwR
Forum Admin
    
United Kingdom
20595 Posts |
Posted - 17 October 2002 : 16:11:35
|
I understand your point, I think we were just arguing different points , I like your solution, but am inclined to agree with Richard that a generic function may be more useful, but does not need to do all checks like youe suggested previously, since the blank request("") as far as I know only ever refer to either the form or the querystring, and it is never used this way to retrieve from the cookies etc, so something as simple as
sub GetRequestVar(NAME) dim objRequest if Request.QueryString <> "" then Set objRequest = Request.QueryString else Set objRequest = Request.Form end if GetRequestVar = objRequest(NAME) end sub
or something similar |
 |
|
GauravBhabu
Advanced Member
    
4288 Posts |
Posted - 17 October 2002 : 16:27:35
|
Oh Yes, that will be good also and can be implemented through out the forum. |
 |
|
HuwR
Forum Admin
    
United Kingdom
20595 Posts |
Posted - 17 October 2002 : 16:43:46
|
quote: Originally posted by GauravBhabu
Oh Yes, that will be good also and can be implemented through out the forum.
I just nicked a couple of bits of your solution, so its your idea really  |
 |
|
Gremlin
General Help Moderator
    
New Zealand
7528 Posts |
Posted - 17 October 2002 : 16:54:18
|
Don't over use it though its still adds no benefits if you already know which collection you should be checking, I'm against giving people an easy way out that actually hinders performance, you find MOD writers start using it by default when they should just be specifiying the correct collection in the code. |
Kiwihosting.Net - The Forum Hosting Specialists
|
 |
|
HuwR
Forum Admin
    
United Kingdom
20595 Posts |
Posted - 17 October 2002 : 17:06:19
|
quote:
Don't over use it though its still adds no benefits if ....
I agree, it is only for those places where the variable may be passed in ether the form or the query string, not for every request call |
 |
|
GauravBhabu
Advanced Member
    
4288 Posts |
Posted - 17 October 2002 : 20:42:43
|
I also agree, it is only for those situations when the values are expected from either Form Object or in Querystring and are either exclusively being passed via Form object or exclusively in Querystring. |
 |
|
work mule
Senior Member
   
USA
1358 Posts |
Posted - 18 October 2002 : 00:31:44
|
quote: For items not in Request.Cookies, Request.Form, Request.QueryString, or Request.ClientCertificate, there is an implicit call to Request.ServerVariables. The Request.ServerVariables collection is much slower than the other collections.
Maybe I'm not getting it, but I don't think there is an issue.
Try this simple test and the above statement (not mine, the quoted one) will become clear:
Step 1: Create a simple test page with this one line:
response.write Request("HTTP_USER_AGENT")
Now try these links and look at the output:
http://localhost/olp_dev/testobjects.asp http://localhost/olp_dev/testobjects.asp?HTTP_USER_AGENT= http://localhost/olp_dev/testobjects.asp?HTTP_USER_AGENT=TEST
As long as the item exists, it won't go through to the Request.ServerVariables collection. So just make sure all items (you're expecting) are passed in the querystring or in your form, regardless if they have a value or not. In the case of the the second link, even though there's no value, it still creates an entry in the Request.Querystring Collection. As long as the entry exists, it won't check the next collection nor make it down to the ServerVariable collection.
You have to be aware of the order of precedence of the various collections.
quote:
All variables can be accessed directly by calling Request(variable) without the collection name. In this case, the Web server searches the collections in the following order.
QueryString Form Cookies ClientCertificate ServerVariables
Something evil... If someone knew that the page your forms posted to did not specifically check for the forms collection [Request.Form("")], they could override all of your form values by recreating your form post via the querystring. In that instance, if the person relied upon the html form to validate the data (ie. thinking values only in lists would be sent, data lengths limited by maxsize, javascript validations), they'd be vulnerable.
So it's not so much an issue of performance, but integrity. If you know you're value is going to be in the form collection, look for it there. If you don't, someone could mess around and add it to the querystring and anything in the form collection would be ignored with a basic Request("") reference. |
 |
|
GauravBhabu
Advanced Member
    
4288 Posts |
Posted - 18 October 2002 : 01:05:38
|
quote: Originally posted by work mule
As long as the item exists, it won't go through to the Request.ServerVariables collection...As long as the entry exists, it won't check the next collection nor make it down to the ServerVariable collection.
That is exactly what I pointed out in the post Here
quote:
Something evil... If someone knew that the page your forms posted to did not specifically check for the forms collection [Request.Form("")], they could override all of your form values by recreating your form post via the querystring...

quote:
So it's not so much an issue of performance, but integrity. If you know you're value is going to be in the form collection, look for it there. If you don't, someone could mess around and add it to the querystring and anything in the form collection would be ignored with a basic Request("") reference.
Validate the Input always. Script in members.asp validated all the input values whether they are passed via querystring or Form Object. |
 |
|
GauravBhabu
Advanced Member
    
4288 Posts |
Posted - 18 October 2002 : 01:21:19
|
quote: Originally posted by work mule
Something evil... If someone knew that the page your forms posted to did not specifically check for the forms collection [Request.Form("")], they could override all of your form values by recreating your form post via the querystring... ...If you don't, someone could mess around and add it to the querystring and anything in the form collection would be ignored with a basic Request("") reference.
To avoid that first Check if the user submitted the values via Form
sub InitRequestVars()
dim objRequest
if Request.Form("mode") = "search" then
Set objRequest = Request.Form
else
Set objRequest = Request.Querystring
end if
|
 |
|
Topic  |
|