[thelist] [ASP] templating system woe's

Stephen Caudill SCaudill at municode.com
Thu Aug 21 09:29:15 CDT 2003 

Joshua Olson on Thursday, August 21, 2003 8:25 AM said:

: ----- Original Message -----
: From: "Stephen Caudill" <SCaudill at municode.com>
: Sent: Wednesday, August 20, 2003 6:12 PM
: 
:: I've been kicking myself over it all afternoon.  The only
:: thing that has occurred to me is to write the contents of the
:: <body> to a temp file and server.execute that into place in the
:: template, but that seems very inelegant and likely to add too
:: much overhead to the processing (there's already a ton of FSO
:: and RegExp...) 
: 
: Not too bad of a solution given the scenario.  In regards to
: overhead, do think about how much traffic the site is likely to
: generate before getting too worried.  One nice benefit to this
: method is that you could concievable cache the pages to disk and
: only overwrite them if the database record is updated. Comparing
: the datestamp of the record against the datestamp of the file
: should give you this info. 

This is a rewrite of the templating engine currently in place for
http://www.municode.com/ which receives around 10k visitors a day
give or take a couple grand... so the overhead is definitely an 
issue.  I hadn't thought about caching the pages to disk, though.
Nor do I have any experience with it.  Seems viable, but still 
invokes a strond sense of "wrongness".
 
: The question you need to ask yourself is whether this method
: creates a security risk for the content.  If you can place
: executable script into the database (and presumably someone has
: the opportunity to change the code) then you open up potential
: points through which someone could damage the site or the server
: or server farm (ugh). 

hmmm... I don't think this is a problem, but am not sure I understand
what you're saying. Do you mean something on the order of an SQL
injection?  If so, I've put a good deal of safe-guards in place
to handle that sort of attack... If not, then I don't follow you.

I'm still at a total loss as to how to proceed...  I really wish
there was an equivalent of PHP's output buffering. :( No Joy.

- Stephen
http://www.mechavox.com/

More information about the thelist mailing list