1

What is better coding practice, with speed in mind (Classic ASP):

sPg=sPg& "<select id=""actions"" onchange=""emact(this.value)"">"
sPg=sPg& "<option value=""""></option>"
sPg=sPg& "<option value=""read"">read</option>"
sPg=sPg& "<option value=""unread"">unread</option>"
sPg=sPg& "<option value=""spam"">spam</option>"
sPg=sPg& "<option value=""unspam"">unspam</option>"
sPg=sPg& "<option value=""delete"">delete</option>"
sPg=sPg& "<option value=""undelete"">undelete</option>"

OR

<select id="actions" onchange="emact(this.value)">
<option></option>
<option value="read">read</option>
<option value="unread">unread</option>
<option value="spam">spam</option>
<option value="unspam">unspam</option>
<option value="delete">delete</option>
<option value="undelete">undelete</option>

think this, but on a way larger scale (online store backend written this way almost completely, working on a new version) - I am going convert it all to easy to manage HTML instead of response.write each time, but I just want to know the by doing that, I am not digging myself a hole.

Joel Coehoorn
  • 399,467
  • 113
  • 570
  • 794
Eddie
  • 235
  • 1
  • 4
  • 8

3 Answers3

1

If you are re-writing why are you going to use 10 year old technology?

(Use the 2nd one.)

Hogan
  • 69,564
  • 10
  • 76
  • 117
  • This is a fantastic point, however I'm not sure I have a choice...however before we begin I am rooting for a PHP conversion... we'll see. – Eddie Jan 21 '10 at 22:10
  • 1
    or .Net if they are already a MS shop. Classic ASP -> .NET is way easy (as microsoft intended) you can pick sections you want to upgrade (as I remember.) – Hogan Jan 21 '10 at 22:11
1

That's what I would do.

There is absolutely no good reason to go with creating the whole HTML structure through string concatenation, and you will gain a bit of performance by changing to straight HTML.

It would also be more maintainable, as you won't have to worry about escaping quotes and making sure your strings are properly concatenated.

Oded
  • 489,969
  • 99
  • 883
  • 1,009
0

Wouldn't the argument for using Response.Write over HTML be the same one for parameterizing SQL statements over straight SQL queries? Meaning, to close a few loopholes for possible injection?

John
  • 15,990
  • 10
  • 70
  • 110
  • You still have to sanitize the user input -- it does not help AFAICT. – Hogan Jan 21 '10 at 22:13
  • 1
    (with parameterized sql the server enforces content and will not let the parameter end the current statement -- it also will also cache the execution plan in some cases). – Hogan Jan 21 '10 at 22:14
  • 1
    How does Response.Write close any injection loopholes? You still have to call any HTML-encoding function you want manually. – bobince Jan 21 '10 at 22:14
  • I guess it doesn't, then. Not having worked with it, I thought it might do some user input sanitation, but apparently not. – John Jan 21 '10 at 22:21