When working with web applications we are dealing with request parameters all the time. Most of them are either sent as GET or POST parameters. ASP offers you access to those parameters via the
request.querystring
(for GET parameters) and the
request.form
(for POST parameters) collection. Thats great but ajaxed takes it a step further.
As those parameter are so commonly used we thought of creating wrapper methods for them. Those methods should fulfill the following requirements:
- Improve readability by shorter names (e.g.
request.querystring
is really really long and results in unreadable code) - Provide the ability to perform common tasks on a parameter in one go. E.g. Parse the parameter into a number and if parsing fails use a fallback (default) value.
The methods are already here :) You can find them in the
AjaxedPage
class. All methods starting with
RF
are referring to POST parameters (RF stands for request.form). On the other hand all methods starting with
QS
are referring to GET parameters (QS stands for querystring). From today on you should use them instead of the native ones ;) Just have a look at the length of the methodname. Its much shorter.
So whenever you create an instance of
AjaxedPage
you will have access to methods for POST and GET parameters.
Important: The same applies when working with ajax. You can access POST and GET parameters within the callback()
using the same methods.
POST parameters
All methods of
AjaxedPage
starting with
RF
. They always contain at least one parameter which holds the name of the field (parameter) your are requesting. Examples:
<%
set p = new AjaxedPage
p.draw()
sub main()
someVal = request.form("paramName")
someVal = p.RF("paramName")
someVal = cint(request.form("paramName"))
someVal = p.RFP("paramName", 0)
someBool = p.RFP("paramName", true)
someVal = trim(request.form("paramName"))
someVal = p.RFT("paramName")
set val = request.form(name)
someVal = array()
redim preserve someVal(val.count - 1)
for i = 0 to uBound(someVal)
someVal(i) = val(i + 1)
next
RFA = arr
someVal = p.RFA("paramName")
someVal = request.form("paramName") <> ""
someVal = p.RFHas("paramName")
end sub
%>
The above code sample should be mostly self explaining. Nevertheless I would like to stress to of the methods.
The first one is
RFP
which parses a posted value into a desired datatype. What does that actually mean to us? That means that it tries to parse the parameter into the datatype of your fallback variable. If it fails then the fallback variable is passed through. In that way you can prevent malicous input. You could e.g. use that value directly within a SQL query:
<%
set RS = db.getRS("SELECT * FROM users WHERE id = " p.RFP("id", 0), empty)
%>
Note: When you reqiure a floating point number then be sure to pass 0.0 as the fallback value.
As RFP()
uses str.parse
internally, you should refer to its documentation if you require more details about the parsing behavoir.
The second "cool" method is
RFHas()
. It checks if a given parameter contains a non empty string. This is very useful when dealing with e.g. checkboxes. The following example ticks a checkbox when the page contains a posted value named
foo
:
<input type="checkbox" checked="<%= lib.iif(p.RFHas("foo"), "checked", "") %>"/>
TIP: Use the isPostback()
method if you want to check if the page is a postback (has been requested using POST).
GET parameters
The same which applies to POST applies to GET parameters as well. Apart from the fact that all the methods are starting with
QS
.
<%
set p = new AjaxedPage
p.draw()
sub main()
someVal = request.querystring("paramName")
someVal = p.QS("paramName")
someVal = cint(request.querystring("paramName"))
someVal = p.QSP("paramName", 0)
someBool = p.QSP("paramName", true)
someVal = trim(request.querystring("paramName"))
someVal = p.QST("paramName")
end sub
%>
You may have recognized that some of the methods are missing although they exist for POST parameters. They will be implemented soon :) sorry, been forgotten.
However, you can easily parse querystring values into a desired datatype now and the "old fashioned" SQL injections (seen in many legacy ASP apps) should not be possible anymore. Lets assume we have a page called
page.asp
which can take a parameter
speed
:
<%
set p = new AjaxedPage
p.draw()
sub main()
speed = page.RFP("speed", 0.0)
end sub
%>
Writing to the response
In classic ASP applications we used to make heavy usage of
response.write
. When working with ajaxed we try to avoid its usage as we have several helper methods which makes life easier and are shorter to write:
<%
set p = new AjaxedPage
p.draw
sub main()
response.write("hello world")
str.write("hello world")
page.write("hello world")
response.write("hello world" & vbnewline)
str.writeln("hello world")
page.writeln("hello world")
response.end()
str.end()
response.write("some debug")
response.end()
str.writeend("some debug")
name = "Jack"
response.write("My name is " & name & ".")
str.writef("My name is {0}.", name)
str.writef("My name is {0} and i am {1}.", array(name, 18))
response.write(server.HTMLEncode("some <html>"))
str.HTMLEncode("some <html>")
str("some <html>")
end sub
%>
Do you see the difference? Its not huge but it makes sense as you write less and your code gets cleaner which makes it more readable. Just check the
writef()
method which allows you to format a string and write it our directly to the response. Thats a time saver :)
Please refer to the str.format()
method if you need more details about the formatting of str.writef()
.
Important (preventing XSS attacks): Be sure to use str.HTMLEncode()
whenever you display user input within your page. You can use the short version str()
as well