Using request.form, request.querystring and response.write    Getting-started

Related Articles


Installation and Requirements evaluation

Configuration & Customization

Creating your first page "Hello World!"

Database setup

Bringing AJAX into the game

Understanding environments

Debugging and Logging

Sending Emails

Using request.form, request.querystring and response.write

Discuss

When working with web applications we are dealing with request parameters all the time. Most of them are either sent as GET or POST parameters. ASP offers you access to those parameters via the request.querystring (for GET parameters) and the request.form (for POST parameters) collection. Thats great but ajaxed takes it a step further.

As those parameter are so commonly used we thought of creating wrapper methods for them. Those methods should fulfill the following requirements:


The methods are already here :) You can find them in the AjaxedPage class. All methods starting with RF are referring to POST parameters (RF stands for request.form). On the other hand all methods starting with QS are referring to GET parameters (QS stands for querystring). From today on you should use them instead of the native ones ;) Just have a look at the length of the methodname. Its much shorter.

So whenever you create an instance of AjaxedPage you will have access to methods for POST and GET parameters.

Important: The same applies when working with ajax. You can access POST and GET parameters within the callback() using the same methods.

POST parameters

All methods of AjaxedPage starting with RF. They always contain at least one parameter which holds the name of the field (parameter) your are requesting. Examples: 


<%
'we need a page instance in order to get
'access to the post parameters
set p = new AjaxedPage
p.draw()

sub main()
  '-- 1. common reading
  'old style
  someVal = request.form("paramName")
  'new style
  someVal = p.RF("paramName")
  
  '-- 2. parsing into a given datatype in one go
  'old style (fails if a parameter is not an int)
  someVal = cint(request.form("paramName")) 
  'new style
  someVal = p.RFP("paramName", 0)
  someBool = p.RFP("paramName", true)
  
  '-- 3. trimming
  'old style
  someVal = trim(request.form("paramName"))
  'new style
  someVal = p.RFT("paramName")
  
  '-- 4. getting an array (if more value have the same name)
  'old style 
  set val = request.form(name)
  someVal = array()
  redim preserve someVal(val.count - 1)
  for i = 0 to uBound(someVal)
    someVal(i) = val(i + 1)
  next
  RFA = arr
  
  'new style
  someVal = p.RFA("paramName")
  
  '-- 5. Checking existence
  'old style
  someVal = request.form("paramName") <> ""
  'new style
  someVal = p.RFHas("paramName")
  
end sub
%>


The above code sample should be mostly self explaining. Nevertheless I would like to stress to of the methods.

The first one is RFP which parses a posted value into a desired datatype. What does that actually mean to us? That means that it tries to parse the parameter into the datatype of your fallback variable. If it fails then the fallback variable is passed through. In that way you can prevent malicous input. You could e.g. use that value directly within a SQL query: 


<%
'this is safe because the ID parameter will be
'parsed into an integer for sure
set RS = db.getRS("SELECT * FROM users WHERE id = " p.RFP("id", 0), empty)
%>


Note: When you reqiure a floating point number then be sure to pass 0.0 as the fallback value.

As RFP() uses str.parse internally, you should refer to its documentation if you require more details about the parsing behavoir.

The second "cool" method is RFHas(). It checks if a given parameter contains a non empty string. This is very useful when dealing with e.g. checkboxes. The following example ticks a checkbox when the page contains a posted value named foo: 


<input type="checkbox" checked="<%= lib.iif(p.RFHas("foo"), "checked", "") %>"/>


TIP: Use the isPostback() method if you want to check if the page is a postback (has been requested using POST).

GET parameters

The same which applies to POST applies to GET parameters as well. Apart from the fact that all the methods are starting with QS. 


<%
'we need a page instance in order to get
'access to the post parameters
set p = new AjaxedPage
p.draw()

sub main()
  '-- 1. common reading
  'old style
  someVal = request.querystring("paramName")
  'new style
  someVal = p.QS("paramName")
  
  '-- 2. parsing into a given datatype in one go
  'old style (fails if a parameter is not an int)
  someVal = cint(request.querystring("paramName")) 
  'new style
  someVal = p.QSP("paramName", 0)
  someBool = p.QSP("paramName", true)
  
  '-- 3. trimming
  'old style
  someVal = trim(request.querystring("paramName"))
  'new style
  someVal = p.QST("paramName")
    
end sub
%>


You may have recognized that some of the methods are missing although they exist for POST parameters. They will be implemented soon :) sorry, been forgotten.

However, you can easily parse querystring values into a desired datatype now and the "old fashioned" SQL injections (seen in many legacy ASP apps) should not be possible anymore. Lets assume we have a page called page.asp which can take a parameter speed: 


<%
set p = new AjaxedPage
p.draw()

sub main()
  'tries to parse it into a floating point number
  'page can be called with ...
  ' page.asp?speed=2.2 => would pass 2.2
  ' page.asp?speed=xy => would pass 0.0
  ' page.asp?speed=1 => would pass 1.0
  ' page.asp => would pass 0.0
  speed = page.RFP("speed", 0.0)
end sub
%>


Writing to the response

In classic ASP applications we used to make heavy usage of response.write. When working with ajaxed we try to avoid its usage as we have several helper methods which makes life easier and are shorter to write: 


<%
set p = new AjaxedPage
p.draw

sub main()

  'old style
  response.write("hello world")
  'new style
  str.write("hello world")
  'or
  page.write("hello world")  

  'old
  response.write("hello world" & vbnewline)
  'new
  str.writeln("hello world")
  'or
  page.writeln("hello world")

  'old
  response.end()
  'new
  str.end()

  'old
  response.write("some debug")
  response.end()
  'new
  str.writeend("some debug")

  'old
  name = "Jack"
  response.write("My name is " & name & ".")
  'new
  str.writef("My name is {0}.", name)
  'more parameters
  str.writef("My name is {0} and i am {1}.", array(name, 18))

  'old
  response.write(server.HTMLEncode("some <html>"))
  'new
  str.HTMLEncode("some <html>")
  'or quicker by using the default method
  str("some <html>")

end sub
%>


Do you see the difference? Its not huge but it makes sense as you write less and your code gets cleaner which makes it more readable. Just check the writef() method which allows you to format a string and write it our directly to the response. Thats a time saver :)

Please refer to the str.format() method if you need more details about the formatting of str.writef().

Important (preventing XSS attacks): Be sure to use str.HTMLEncode() whenever you display user input within your page. You can use the short version str() as well

Posted in Getting-started 5622 days ago

Version 2.1.1 Released3964 days ago