Chapter 49: ASP Server
1. What is the Server Object in Classic ASP?
The Server object is a built-in utility object that gives your ASP code access to server-level helper functions — things that only the web server itself can do reliably.
It is not for storing data (like Session/Application), not for reading input (like Request), not for sending output (like Response) — it is for doing server-side tasks that normal VBScript cannot do alone.
Think of it as the toolbox you open when you need to:
- Create COM objects (ADO, FileSystemObject, Dictionary, etc.)
- Map virtual paths to physical disk paths
- Encode strings for safe HTML/URL output
- Execute another .asp page inside the current one
- Get script timeout settings
- Handle errors at a low level
2. The Most Important Server Object Methods & Properties
Here are the ones you will use every single day in real Classic ASP code — ranked by how often you actually wrote them.
| Method / Property | What it does | Real-world frequency | Example |
|---|---|---|---|
| Server.CreateObject(“progid”) | Creates a COM object (ADO, FSO, Dictionary, etc.) | ★★★★★ (most used) | Set conn = Server.CreateObject(“ADODB.Connection”) |
| Server.MapPath(“/virtual/path”) | Converts virtual URL path → physical disk path | ★★★★☆ | path = Server.MapPath(“data/database.mdb”) |
| Server.HTMLEncode(string) | Escapes HTML characters (< → <, & → &, etc.) | ★★★★★ (security!) | <%= Server.HTMLEncode(userInput) %> |
| Server.URLEncode(string) | Escapes URL characters (space → %20, & → %26, etc.) | ★★★☆☆ | Response.Redirect “search.asp?q=” & Server.URLEncode(search) |
| Server.Execute(“path.asp”) | Executes another .asp page and includes its output | ★★☆☆☆ | Server.Execute(“header.asp”) |
| Server.Transfer(“path.asp”) | Transfers control to another .asp page (no return) | ★★☆☆☆ | Server.Transfer(“error.asp”) |
| Server.ScriptTimeout | Get/set seconds before script timeout (default 90) | ★☆☆☆☆ | Server.ScriptTimeout = 300 |
3. Example 1 – Server.HTMLEncode (The Most Important – Security!)
|
0 1 2 3 4 5 6 |
<%@ Language=VBScript %> <% Option Explicit %> <!DOCTYPE html> <html> <body> <h2>User Comment Preview</h2> <form method="post"> Comment: <textarea name="comment" rows="5" cols="50"></textarea><br> <input type="submit" value="Preview"> </form> <% If Request.Form("comment") <> "" Then Dim userComment userComment = Request.Form("comment") ' WRONG – dangerous (XSS risk!) ' Response.Write "<p>Your comment: " & userComment & "</p>" ' CORRECT – safe Response.Write "<p>Your comment (safe): " & Server.HTMLEncode(userComment) & "</p>" Response.Write "<p>Raw (for debug): " & userComment & "</p>" End If %> </body> </html> |
Test it:
Type: <script>alert(‘hacked!’)</script> → Safe version shows literal text → Unsafe version runs the script (XSS attack)
Rule: Always Server.HTMLEncode when displaying user-controlled strings in HTML.
4. Example 2 – Server.MapPath + FileSystemObject (Read Text File)
|
0 1 2 3 4 5 6 |
<% Dim fso, file, path, content Set fso = Server.CreateObject("Scripting.FileSystemObject") ' Convert virtual path → physical path path = Server.MapPath("data/welcome.txt") If fso.FileExists(path) Then Set file = fso.OpenTextFile(path, 1) ' 1 = ForReading content = file.ReadAll file.Close Response.Write "<pre>" & Server.HTMLEncode(content) & "</pre>" Else Response.Write "<p>File not found: " & Server.HTMLEncode(path) & "</p>" End If Set file = Nothing Set fso = Nothing %> |
welcome.txt (in /data folder):
|
0 1 2 3 4 5 6 7 |
Welcome to our site! Last updated: February 2026 |
→ Server.MapPath makes path portable — works whether site is in root or subfolder.
5. Example 3 – Server.CreateObject (ADO Database Connection)
|
0 1 2 3 4 5 6 |
<% Dim conn Set conn = Server.CreateObject("ADODB.Connection") ' Real connection string conn.Open "Provider=SQLNCLI11;Server=.\SQLEXPRESS;Database=MyShop;Trusted_Connection=yes;" Response.Write "<p>Connected successfully!</p>" conn.Close Set conn = Nothing %> |
→ Almost every database-driven Classic ASP page starts with Server.CreateObject(“ADODB.Connection”)
6. Example 4 – Server.Execute (Include Dynamic Content)
|
0 1 2 3 4 5 6 |
<!-- main page --> <h1>Main Page</h1> <% ' Execute another page and include its output Server.Execute "sidebar.asp" %> |
sidebar.asp
|
0 1 2 3 4 5 6 |
<div style="float:right; width:200px; background:#eee; padding:10px;"> <h3>Sidebar</h3> <p>Today's special: Biryani ₹399</p> </div> |
→ Server.Execute runs sidebar.asp and inserts its output right there — like a poor man’s partial view.
7. Teacher Summary – ASP Server Object in Classic ASP
ASP Server Object is the utility toolbox:
- Server.CreateObject(“progid”) → create COM objects (ADO, FSO, Dictionary, etc.)
- Server.MapPath(“/virtual”) → virtual URL → real disk path
- Server.HTMLEncode(str) → escape for safe HTML output (XSS prevention)
- Server.URLEncode(str) → escape for safe URL parameters
- Server.Execute(“page.asp”) → run another page and include output
- Server.Transfer(“page.asp”) → transfer control (no return)
- Server.ScriptTimeout → change how long script can run
Always remember:
- Server.HTMLEncode on all user-controlled output
- Server.MapPath for file paths (never hard-code C:\inetpub…)
- Server.CreateObject for almost every COM component (ADO is #1)
- Use On Error Resume Next around risky CreateObject calls
This is how millions of Classic ASP pages created database connections, read files, safely displayed user input, and included shared content — and many legacy Indian systems still use exactly this Server object style in 2026.
Next class?
- Want a full example combining Server + Request + Response + Session + Cookies?
- Or how to handle errors when Server.CreateObject fails?
- Or compare Classic ASP Server vs modern ASP.NET Core IWebHostEnvironment / IHttpContextAccessor?
- Or move to the next W3Schools topic (ASP Cookies or ASP Sessions again)?
Just tell me — I’m here! 🚀🇮🇳 Keep learning strong, Webliance! 😊
