Platinum Edition Using HTML 4, XML, and Java 1.2
(Publisher: Macmillan Computer Publishing)
Author(s): Eric Ladd
ISBN: 078971759x
Publication Date: 11/01/98

---

Syntax of SSI Commands

Most SSI commands have the form

<!--#command tagname=”parameter” -->

where command is a keyword indicating what the server is supposed to do, tagname is a keyword indicating the type of parameter, and parameter is the user-defined value for that command.

Note that the first space character is after the command keyword. Most servers refuse to perform SSI if you don’t follow this syntax exactly. SSI syntax is among the fussiest you’ll encounter. For example, Microsoft’s Internet Information Server (IIS) recognizes the following command:

<!--#include file=fname.inc-->

But only in lowercase. Different versions of IIS also gave new users problems with syntax peculiarities and restrictions. For example, some versions of IIS reportedly required an extra bang at the end of the comment tag:

<!--#include file=fname.inc--!>

And for some versions, files containing SSI had to end in the .stm extension—except for IIS 3.0 Active Server Page (.asp) files. The ASP DLLs introduced with IIS 3.0 and higher offer better SSI support, but only for ASP files.

The important thing to remember is that SSI syntax is highly idiosyncratic. Each server is different, and each server is fussy. Read the documentation!

Another implementation variation to watch for is that various servers have rules about which kinds of files can be included and what the default file extension is. O’Reilly’s current WebSite Pro, for instance, assumes an extension of .html-ssi unless you configure it otherwise. Some others can only include files with a .txt extension, and yet others only allow an .stm extension.

---

Common SSI Commands

You can use SSI commands for a variety of tasks, including inserting (echoing) a value into the document, running a program, inserting the contents of a file into the document, setting the way file sizes appear, inserting the hit count or a file size into the document, and more. The following sections provide step-by-step examples of SSI commands in action.

---

NOTE:  Microsoft’s IIS has some important peculiarities. IIS 2.0, and Microsoft’s Personal Web Server, only support one SSI command—#include—and only in lowercase. IIS 3.0 supports the #include, #flastmod, #fsize, #echo, #config, and #exec directives. However, ASP versions 1.0 and 1.0b only support the #include directive. You can obtain more information on SSI in IIS in the installed documentation at http://yourserver/iasdocs/aspdocs/ssi/isiall.htm.

There are some security concerns with IIS and SSI. If you use the FrontPage Server Extensions with SSI, you should install the updated FrontPage Server Extensions, which do not allow the user to enter HTML into FrontPage feedback forms. If you allow the user to enter HTML, and you enable SSI, you are risking a serious security problem.

Apache has expanded its Web server to use Extended Server Side Includes (XSSI). XSSI provides additional functionality to SSI, including the use of condition statements. For more information, see http://www.apache.org/docs/mod/mod_include.html.

Most other servers support all of the commands listed here or a variant command to accomplish the same task.

---

echo

The following is the syntax for echo:

The current date is <!--#echo var=“DATE_LOCAL” -->

This syntax expands to something like the following when executed by an NCSA or Apache server:

The current date is 28 Feb 1999 12:00:13 GMT-6

The command is echo, the tagname is var (short for variable), and the parameter is DATE_LOCAL, which is a variable defined by the NCSA server that represents the local time on the server. When the server processes this line, it sees that the command requires it to echo (print) something. The echo command takes only one parameter, the keyword var, which is followed by a value specifying which variable you want to be echoed.

Most servers let you echo at least a subset of the standard CGI variables, if not all of them. You can usually find some special variables that are available only to SSI. DATE_LOCAL is one of them.

Again on the NCSA or Apache server, you can change the time format using the SSI config command, as follows:

<!--#config timefmt=“format string” -->

Substitute a valid time format string for “format string” in the preceding example. The syntax of the format string is compatible with the string you pass to the UNIX strftime() system call. For example, %a %d %b %y gives you Sun 28 Feb 99.

Here are some other useful variables you can echo:

You are calling from <!--#echo var=“REMOTE_ADDR”-->

This outputs a line like

You are calling from 38.247.88.150

Here’s another example:

This page is <!--#echo var=“DOCUMENT_NAME”-->

This yields a line resembling

This page is /home/joeblow/ssitest.shtml

Spend some time learning which variables your server lets you echo and the syntax for each. Related commands, such as the config timefmt command, often affect the way a variable is printed.

include

The include command typically takes one of two attributes, file or virtual, with a single parameter specifying which file to include. Using the file attribute, the included file must be something relative to, but not above, the current directory. Thus, ../ is disallowed, as is any absolute path, even if the httpd server process would normally have access there. The virtual attribute allows you to include any file relative to the document root. For example, /otherdir/file.html can be included as long as the Web server can access the file.

Other servers let you specify any path at all, or work with the operating system to limit access in a more flexible way than hard-coding forbidden paths. Purveyor, for instance, lets you use UNC file specifications, thus allowing your include to pull its data from anywhere reachable on the network. Regular Windows NT file permission requirements must be met, of course. Don’t give the user ID under which Purveyor runs access to areas you don’t want to include.