4

I desperately want to use server-side includes in a project I'm working on because I just have some HTML that repeats and I need to get it on several pages. Must I use ascx or some other include technology... I mean, will lightning strike if I use server-side includes?

My client -- the middle-person -- says "do what's easiest, this will probably be redone in a CMS soon anyway." Can I not use server-side includes?

It's ASP.NET 2.0.

Note: I feel this has been asked before, but I couldn't find it. If it has, please let me know and I will personally delete it, thanks!

Edit: Any way to get an include ON ONE LINE would be fine with me, if you have suggestions.

Edit: Why do I like includes?

Include code:

!--#include file="inc_footer.aspx"-->

the same code for a control. First you need one of these

<%@ Register TagPrefix="a" TagName="HeyFooter" Src="inc_footer.ascx" %>

and then you can use it like this

<a:HeyFooter runat="server" />

this is kind of long for what I need.

Note Two security concerns with includes: 1) don't use the .inc extension, since it can be browsed. 2) do not include filenames based on user variables, as the best answer points o ut.

Dan Rosenstark
  • 68,471
  • 58
  • 283
  • 421
  • Why are you so keen to avoid user controls? There doesn't seem to be any significant extra effort to me. – Nick Higgs Jan 30 '10 at 02:24
  • @Nick Higgs, is there any way to get all the code on one line? I don't want to put in two lines of code -- one of them defining the tag, another using it -- to get a simple include. I know that's pathetic, but I really just need to include some HTML. Also, you know, "simple as possible" and that. Anyway, please put the shortest possible code to do an ASCX and compare it to an include in an answer here. Maybe I don't know what can be left out... – Dan Rosenstark Jan 30 '10 at 11:21
  • @yar: In my opinion, "simple as possible" means don't use server-side includes, which are turned off by default, cause security problems, and which nobody uses anymore. – John Saunders Jan 30 '10 at 11:48
  • @John Saunders, are they deprecated or just "not used?" What security problems do they cause. That's exactly what I'm asking. – Dan Rosenstark Jan 30 '10 at 12:05
  • 1
    @yar: There's much more to server-side includes than simply inserting a chunk of html. If you enable SSI, you're opening your site to a host of issues, most of which have been forgotten. All I remember about SSI is the warnings to not use them. Also note they are turned off by default - there are reasons for that. – John Saunders Jan 30 '10 at 15:49
  • @John Saunders, thanks for that. For the sake of honesty, I'll admit that on this small project I actually ended up doing things with ASCXes because you scared me into it :). – Dan Rosenstark Jan 30 '10 at 16:04

3 Answers3

4

If you include a file via a string variable: <!--#include file=some_variable -->, then depending on how that variable is filled there are possible attacks a hacker could do to include his own files and run arbitrary code on your machine. But as long as you use a string literal, you won't run into this problem.

I would use Master Pages in ASP.NET. This is the accepted way to have common areas of a page.

You would create a Master Page similarly as you would regular pages, then modification of each of the other pages would be minimal. Add a single line to the top of each page file, then specify the sections used.

Aaron
  • 6,988
  • 4
  • 31
  • 48
  • what's the problem with server-side includes aside from them being old-school? – Dan Rosenstark Jan 29 '10 at 19:59
  • 1
    If you eliminate the potential security threats with server-side includes, there's really nothing wrong with them. I just prefer Master Pages and all the useful stuff you can do with them. – Aaron Jan 29 '10 at 20:01
  • Cool thank you, I'm trying not to do anything interesting on this particular project :)... what are the security risks? You have to name them .aspx and that's it? – Dan Rosenstark Jan 29 '10 at 20:10
  • If you include a file via a string variable: ``, then depending on how that variable is filled there are possible attacks a hacker could do to include his own files and run arbitrary code on your machine. But as long as you use a string literal, you won't run into this problem. – Aaron Jan 29 '10 at 20:32
  • cool, could you put that in your answer so I can upvote and mark it best answer please? Though Master Pages are nice and alll... – Dan Rosenstark Jan 29 '10 at 20:37
  • Ask and ye shall receive (though the promise of a best answer certainly doesn't hurt ;)) – Aaron Jan 29 '10 at 21:00
2

No, you most definitely do not need to use fancy .NET web form ways of doing this, if you want to keep it simple. Just put this at the points where you want it inserted:

<!--#include virtual="../repeatStuff/fun.html" -->

The html will show up there. I gave a path one up and down another directory. This is "easiest", but also has the virtue of being very straightforward. Note that this won't show up in your visual designer. (I never use it anyway.)

Patrick Karcher
  • 22,995
  • 5
  • 52
  • 66
  • 2
    Visual designer... what's that? I code with Speech Recognition software in my car only, and then I say, "deploy." – Dan Rosenstark Jan 29 '10 at 20:28
  • 3
    So, you just drive back and forth between work? I guess you might stop at work for meetings, then drive home and back to generate code. I myself just have two buttons, for 0's and 1's; that's all I use. I typically code straight to production, to avoid deployment issues. – Patrick Karcher Jan 30 '10 at 12:31
1

I still use includes every once in awhile for exactly the purpose you describe.

You don't really need to register a user control because it's just plain html anyway. And you don't want a master page because it's really just a snippet of html that needs to be on a few select pages.

So I've got includes like this from a glossary of help text files:

<!--#include file="~/Glossary/BusinessDetails.inc"-->

In my opinion there's nothing wrong with using old school include files for this purpose.

Steve Wortham
  • 21,740
  • 5
  • 68
  • 90
  • cool, thanks for that. to be honest, I'm trying to provoke the do-not-use-include police, because I know that they are out there. But +1 for now :) – Dan Rosenstark Jan 29 '10 at 20:26