Developer

Send long XML form data with XMLHTTP

Inherent security measures in IIS can prevent Microsoft Web application developers from using large XML-based forms to collect and store data. Find out how to circumvent these size problems using the XMLHTTP object.


This article originally appeared as a Web Development TechMail.

When sending large amounts of XML to your IIS server as part of POST data—as in a TEXTAREA of an ASP form—you might get some unexpected results. Depending on how you handle the data once it's processed on the server, you could end up with an error. The reason is that there's a size restriction on POST fields when submitting data back to the server. This is to limit the ability of a would-be intruder from submitting extremely large amounts of data to the server in a denial of service (DoS) attack.

This restriction also limits your abilities. But there are alternatives. If you're not restricted to sending data through a FORM submission, you can use the XMLHTTP object (a DOM object from Microsoft's XML collection) to send just the necessary XML:
 
var oXMLHTTP = new ActiveXObject("Microsoft.XMLHTTP");
oXMLHTTP.open("POST", "xml_handler.asp", false);
oXMLHTTP.send(xml_to_send);

 

Since the Request object implements the IStream interface, you can load the submitted XML through the load() method of the DOMDocument object:
 
Dim oDOM
Set oDOM = Server.CreateObject("MSXML2.DOMDocument")
oDOM.load Request

 

If you are restricted to a FORM submission, you can overcome that limitation by submitting multiple TEXTAREAs or INPUTs that can be recombined once the server receives this FORM data:
 
var MAXLEN = 90000;
var oForm = document.createElement("FORM");
oFORM.method = "POST";
oFORM.action = "xml_handler.asp";
oFORM = document.body.appendChild(oFORM);
var s = document.someForm.txtXML.value;
if (s.length > MAXLEN) {
    while (s.length > MAXLEN) {
        var o = document.createElement("INPUT");
        o.type = "hidden";
        o.name = "txtXML";
        o.value = s.substr(0, MAXLEN);
        oFORM.appendChild(o);
        s = s.substr(MAXLEN);
    }
    var o = document.createElement("INPUT");
    o.type = "hidden";
    o.name = "txtXML";
    o.value = s.substr(0, MAXLEN);
    oFORM.appendChild(o);
} else {
    var o = document.createElement("INPUT");
    o.type = "hidden";
    o.name = "txtXML";
    o.value = s;
    oFORM.appendChild(o);
}

 

This code creates a new FORM element to handle the data submission and places it within the BODY element. Then, it checks the length of the XML that will be submitted to the server. This XML resides in a TEXTAREA called txtXML located inside someForm.

If the XML is greater than the MAXLEN of 90,000 characters, the code splits up the data by creating multiple hidden INPUT elements and setting the value property to a 90,000-character chunk of XML data or whatever remains at the tail of the XML data. If the length is less than the MAXLEN, the code creates only one INPUT and assigns the value accordingly. This data is then submitted to the server for processing.

You may have noticed that I've given the same name—txtXML—to each field in the new form. This will help separate the XML data from other data that may be submitted and will provide a simple way to recombine the XML data. When you recombine the data, you go through a simple loop to concatenate the field data:
 
Dim str, fld
For Each fld In Request.Form("txtXML")
    str = str & fld
Next

 

Because a collection of fields is created for each FORM element, you iterate through fields of the same name. You don't have to worry about the order in which the fields are stepped through as long as you created the FORM elements on the client side in the proper order. This is easily accomplished through the appendChild() method of the FORM.

Data is submitted in a left-to-right, top-to-bottom fashion from the client, so whenever you append the INPUT elements to the FORM element, you're always going to receive them on the server in the same fashion.

If you're looking to implement a large data solution, such as transferring a lot of Excel data from a client machine to a server, you should reconsider FORM submissions or logically divide the data into smaller parts. Since you can't use the file type INPUT element, the most creative solution would be to convert the data to XML locally and submit the XML data to the server. This, in turn, is stored on the server until further processing.

Sure, there may be better ways of handling this. But when you're hands are tied, you have to implement a speedy, usable solution.

Editor's Picks