Response write inside Response write

Asked

Viewed 629 times

0

I have a website in a database (records the page code inside the table), example:

<html>
...

This above code I saved in a field within the table, and to display, I do normally and everything comes right, but I am in need of the following:

within the code has for example h1 date() h1 (I took < e > because here you understand as title

summary:

when I do <%=%> is the same thing as Response.write, so how do I put this variable inside the code that is already in the database?

I’ve tried everything when it’s right and everything I put is printed on the screen exactly as I put it, in the example above, it’s written on the page exactly that, date() inside the H1.

detailed..

I created a database within another domain I have and in it I created a table with longtext field and within it I created the following:

<!DOCTYPE html>
<html>
<head>
    <meta charset="utf-8">
    <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <title> Login</title>

<body class="gray-bg">
<div><h1 class="logo-name"></h1></div>
<%=date()%> (aqui é onde já testei de tudo (risos)
</body>
</html>
... (página não esta completa, mas só foi para entender)

and within the domain I want the page I created the following:

SQLLerDados = "select * FROM sisindex"
Set RSLerDados=Server.CreateObject("ADODB.Recordset")
RSLerDados.Open SQLLerDados, objConnPagina

if RSLerDados.eof then
    response.End()
else
    codigoPagina = RSLerDados("codigoPagina")
    response.write codigoPagina
end if
Set RSLerDados = Nothing
response.End()

That is, it goes in my database and picks up the page to be displayed, only this page is in ASP and has commands and functions in it and Respse.write is understood as text independent of how I put the ASP variables, understand? or you don’t think I explained it right. Thank you

asp
  • 1

    I didn’t quite understand your use case, but there is a way to execute arbitrary code. She’s usually recommended, and with caveats, just for processing templates. The problem is that if you have a code in your BD that says format the server - and use this method is to open the port to inject code into your bd -, the simple access to a web page will format your server... or worse.

  • How do I get the door open to inject code into my comic? Could you tell me how someone would do that? so I can prevent... I already have SQL Injection treatment.... but would it be just that?

  • I don’t know the details of your application to give examples, but if you’re going to use this, use it very carefully, make sure you’re being passed on to the function. If your own users can save data in the bd that will later be interpreted as Asp, they themselves are a threat.

  • users save data, but in their BD (another domain), this domain that has the code comic, will be used only to display the content of the page... I swear I was confused with the code, I do not know if it is because I am since 5 am in this kkk, but could you give me a light on that link?

2 answers

4

If in HTML body:

<h1><%= date() %></h1>

If you’re gonna concatenate strings:

Response.Write "<h1>" & date() & "</h1>"

If your source code is stored with functions in the BD, it is the case to rethink the application urgently. Usually this is not justified.

A solution would be a mini-template system:

Entrada = "<h1>$DATA$</h1>"  'os dados teriam que estar assim no DB
Saida = Replace( Entrada, "$DATA$", date() )
Response.Write Saida

-1

Ronaldo, unfortunately what you want to do is not possible, at least not directly like this. Everything you put inside Response.Write will be displayed as text. Whatever is in html tag format will be interpreted by the browser as html because it reads the page in the client itself. ASP is processed by the server and when vc gives a Response.Write or a <%= %> it displays the result of ASP processing in text format for the browser to be able to interpret normally.

Now, I didn’t quite understand the need to store the pages in bank. It is not possible to save them as . Asp even?

  • Forgive me for the delay... what I really want to do is a code matrix, I have 5 clients who use the same system and not to keep updating (when necessary) all pages of the 5 domains, I wanted to update only the code that is in the database and automatically everything would be ok. It could also be in xml, txt, but I’ve tried everything and the page doesn’t read ASP code, it just appears as text. Does anyone have any tips for me to do this? Thanks

Browser other questions tagged asp

You are not signed in. Login or sign up in order to post.