Using Variable values as functions/subprocedures

palagrim · May 26, 2005

Hi there,

Quick question, i've got a load of functions and subs stored in an #include file that generate different web pages. The idea was that I could have one .asp page that could call the various functions/subs depending on a querystring.

So for example:



SUB page1()
response.write "This is page 1"
end sub

SUB page2()
response.write "This is page 2"
end sub

etc etc etc

The idea then being i have another page which, once it was passed a url like

http://server.com/index.asp?page=page1,

i thought would be as simple as:

whatpage = request.querystring("page")

call whatpage()

The point of this is for a intranet that we're gonna want to just keep plugging stuff into and it would be nice to just add more sub's or functions and let the site handle the rest itself.

Is this even possible? I'm sort of new to the VB thing so I might just be being an idiot ;-)

damber · May 26, 2005

You can do what you suggest using exec(), but it's unwise to allow client side data execute on the server.

Call your page with this querystring:

Code:

[URL unfurl="true"]http://xxx.xxx.xxx/xxx.asp?cmd=myTest[/URL]

In the page:

Code:

function myTest()
  response.write "hello"
end function

runCmd = request.querystring("cmd")

exec (runCmd)

Which sounds great until you think that any visitor can use the following querystring by manually editing the url:

Code:

Encoded:
[URL unfurl="true"]http://xxx.xxx.xxx/xxx.asp?cmd=response.write%20%22you%20have%20been%20hacked%22%20:%20response.write%20server.mappath(%22/%22)[/URL]

So you can see:
[URL unfurl="true"]http://xxx.xxx.xxx/xxx.asp?cmd=response.write[/URL] "you have been hacked" : response.write server.mappath("/")

Then your asp script will run any code they like.

You can always do a check against an array that the querystring value is a valid function, but then you have concerns about the parameters passed to the function etc etc.

I would recommend you reconsider the design here - you may be able to do what you want, just in a different, more secure way ?

What kind of features are you expecting the site to handle itself ?

A smile is worth a thousand kind words. So smile, it's easy!

palagrim · May 26, 2005

Hmmm.... that doesn't sound like a good idea ;-)

Basically I'm just bein lazy I guess. I've been asked to write an intranet but as yet the boss doesn't know what sort of stuff he wants on it.

So, I was trying to make it all modular so as he comes up with another "fantastic idea" i can just write the function to handle whatever it is without worrying too much about plugging it in to the look and feel of the site...

If you know what I mean?

I guess it's back to the drawing board ;-)

tsuji · May 26, 2005

palagrim,

This is the safe (everything is relative) approach.
[tt]
set whatpage=getref(request.querystring("page"))
whatpage 'this do the sub containing response.write
set whatpage=nothing
[/tt]
regards - tsuji

palagrim · May 26, 2005

Excellent stuff. Does exactly what it says on the tin...

Thanks to both of you for your help! Much appreciated!

- Craig.

Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Using Variable values as functions/subprocedures

palagrim

Programmer

damber

Programmer

palagrim

Programmer

tsuji

Technical User

palagrim

Programmer

Similar threads

Part and Inventory Search

Sponsor