Page 1 of 4
Ugh don't make me use ASP.....
Posted: Mon Jul 25, 2005 7:20 am
by Skittlewidth
Hello,
Whilst I consider it blasphemy to post anything to do with ASP on our wonderful PHP forum I'm not sure where else to ask (and should I move this to General Discussion?)
I was wondering if anyone knew of an ASP equivalent to our hallowed PHP manual or an asp forum as huge and as well used as this? Everything I've found so far has been about ASP.net
I'm not going over to the dark side by choice, i've just been given a project where I have to improve an existing asp driven site.
Oh and if someone could tell me what the equivalent of isset() is in ASP that would save me another fruitless trawl on Google
Cheers
Posted: Mon Jul 25, 2005 8:04 am
by timvw
I don't know much about ASP, but afaik it's an alternative for CGI...
This means you should search for Visual Basic (or whatever the code is written in) instead of ASP...
Re: Ugh don't make me use ASP.....
Posted: Mon Jul 25, 2005 8:53 am
by infolock
Skittlewidth wrote:Hello,
Whilst I consider it blasphemy to post anything to do with ASP on our wonderful PHP forum I'm not sure where else to ask (and should I move this to General Discussion?)
I was wondering if anyone knew of an ASP equivalent to our hallowed PHP manual or an asp forum as huge and as well used as this? Everything I've found so far has been about ASP.net
I'm not going over to the dark side by choice, i've just been given a project where I have to improve an existing asp driven site.
Oh and if someone could tell me what the equivalent of isset() is in ASP that would save me another fruitless trawl on Google
Cheers
So ehh, what exactly is the project? i think you may have accidently left that out
But anyways, an alternative to isset is
empty()
Re: Ugh don't make me use ASP.....
Posted: Mon Jul 25, 2005 9:20 am
by Chris Corbyn
infolock wrote:But anyways, an alternative to isset is
empty()
Well it's not really an alternative for somethings. empty() will throw an error if the var doesn't even exist. That's PHP anyway but in ASP I have a feeling this might work.
Code: Select all
<%
if (!someVar) {
print (someVar + "e; is not set)"e;;
}
%>
And yes... a VB manual - there's one somewhere in the microsoft office program files if you search for all chm files in there

- will help you here. ASP uses VB syntax.
Posted: Mon Jul 25, 2005 10:07 am
by infolock
this is true. however, the check
Code: Select all
if(!$myvar) {
echo 'Myvar is not set';
}
works in php as well.
Posted: Mon Jul 25, 2005 10:44 am
by Skittlewidth
Thanks everyone.
Wasn't being vague about the nature of the project, thats about all the info I have at the moment infolock! We were tempted to convert the existing website over into PHP and MySQL but then it was decided that I may as well expand my skillset a little. I probably won't be doing anything partuclarly innovative, just the old custom cms stuff so as long as I can do select, insert, update, delete, between the page and the database and manipulating content data a little I think I'll be ok.
I know asp is oop but its taking me a while to adapt to the long winded way of getting things done. I particluarly miss ".=" !
Posted: Mon Jul 25, 2005 11:29 am
by timvw
PHP $line .= "message"
VB line = line & "message"
Meaby you want to have a look at
http://www.vbaccelerator.com/home/VB/Co ... rticle.asp too...
Posted: Mon Jul 25, 2005 11:53 am
by Ambush Commander
Code: Select all
if(!$myvar) {
echo 'Myvar is not set';
}
E_ALL will issue a warning if $myvar is null. Stay with empty().
Posted: Mon Jul 25, 2005 2:54 pm
by infolock
aye, but that's if you have error reporting turned on

It is still a very valid if statement and we use it all the time in corporate site designing. I'll agree it isn't the best practice, I was just stating that the same statement in asp could be achieved in php

Posted: Mon Jul 25, 2005 4:46 pm
by Roja
infolock wrote:aye, but that's if you have error reporting turned on

It is still a very valid if statement and we use it all the time in corporate site designing.
Its also still a very valid warning - that variable isnt defined yet, and that means potential security problems. Thats why you should have error reporting on, and shouldn't "use it all the time".

Posted: Mon Jul 25, 2005 4:55 pm
by infolock
Roja wrote:infolock wrote:aye, but that's if you have error reporting turned on

It is still a very valid if statement and we use it all the time in corporate site designing.
Its also still a very valid warning - that variable isnt defined yet, and that means potential security problems. Thats why you should have error reporting on, and shouldn't "use it all the time".

I don't think it necessarily means potential security problems. The only way it would bring a security issue in general is if you keep error reporting on for the whole world to see that you have an undefined variable. otherwise, you don't have a problem as no one even knows about it

Posted: Mon Jul 25, 2005 5:24 pm
by Roja
infolock wrote:
I don't think it necessarily means potential security problems. The only way it would bring a security issue in general is if you keep error reporting on for the whole world to see that you have an undefined variable. otherwise, you don't have a problem as no one even knows about it

Whether someone knows it exists or not is "Obscurity". It has no relation to whether it is secure. I can hide a box of money in my room.. just because its hidden has no relation to the fact that the combination to the box being written on it makes it insecure.
And yes, an undefined variable always has the potential for security risks - thats why they warn you about them.
Example:
Access that file in a browser with..
http://www.example.com?cmd='rm -rf'
You get the idea. Because $cmd isn't defined by your script, the user can define it to a potentially dangerous/unexpected value. Its true in includes, exec's, even for-loops, whiles, and so on. Basically anywhere that you don't have tight bounds checking.
And if register_globals is on, its even worse.
Using a variable you haven't defined is by definition trusting an unknown value - thats not secure.
Posted: Mon Jul 25, 2005 5:27 pm
by Ambush Commander
And so you people are thinking: what harm could a measly boolean check do? Well, not much. But it sorta creeps, you know?
Posted: Mon Jul 25, 2005 5:31 pm
by infolock
Roja wrote:infolock wrote:
I don't think it necessarily means potential security problems. The only way it would bring a security issue in general is if you keep error reporting on for the whole world to see that you have an undefined variable. otherwise, you don't have a problem as no one even knows about it

Whether someone knows it exists or not is "Obscurity". It has no relation to whether it is secure. I can hide a box of money in my room.. just because its hidden has no relation to the fact that the combination to the box being written on it makes it insecure.
And yes, an undefined variable always has the potential for security risks - thats why they warn you about them.
Example:
Access that file in a browser with..
http://www.example.com?cmd='rm -rf'
You get the idea. Because $cmd isn't defined by your script, the user can define it to a potentially dangerous/unexpected value. Its true in includes, exec's, even for-loops, whiles, and so on. Basically anywhere that you don't have tight bounds checking.
And if register_globals is on, its even worse.
Using a variable you haven't defined is by definition trusting an unknown value - thats not secure.
Again, one will not know if the variable is undefined if the error reporting is off. if it's turned on (which php.net strongly suggests that you do
NOT do), then yeah, you are right. again, if, however, you keep error reporting turned off for this instance, you have no worries. as far as globals go, that's exactly why i said it was a bad idea to have them turned off.
as for the whole variable thing goes, even if it is bad practice, it's still a very easy way of validating a variables existance without the need of using processor speed. Because so long as you have the error reporting turned off, the end user is NOT going to see any of these warnings, and thus will not know of any variables that are left undefined.
Posted: Mon Jul 25, 2005 5:33 pm
by Ambush Commander
One should note that it is strongly recommended that you turn off all error reporting in production environments. It is also strongly recommended that you work with them on in development environments (heh).