to .ASP or to parse HTML to accept SSIs...

[Minarai]

This question may be worded poorly, but I'm setting up the frame for a website that will grow to include many DB interfaces that I intend to use .asp files for.

I also intend to use #include files on every page and I'm debating whether I should just make all pages .asp rather than configuring my server (IIS 5.0) to parse .htm for security reasons.

QUESTION:
1. How serious are the security issues?
2. Is there any downside to having all my files named .asp rather than .htm?

...Could someone please help me?

 

[vasah20]

.asp isn't necessary.

instead, you can name them .shtm, or .shtml. These will process the #include files accordingly. This is assuming that your include files are just straight HTML or Text... meaning any <!--#include file=&quot;blah.asp&quot;--> will show the ASP code as plain text.

As for security concerns, there are none simply because you would be naming everything .ASP.

There would be a slight performance hit, since you would send all your pages through the ASP dll for processing (instead of the SHTM or HTM dll for processing.)

The reason for the performance hit is like so:
the ASP dll would:
include all the #include s found
try to process any ASP code found within the document
present the resulting HTML

as opposed to the SHTML dll which would
include all the #include s found
present the resulting HTML


anyhow -
hth
leo
leo