RubberNeck Designs » AJAX

Screen shot of the up and comming CPI Data Panel

admin — Fri, 03 Jul 2009 14:24:22 +0000

I havn’t posted in few weeks because I have been very busy with several projects. One of the projects I am particularly excited about the CPI panel. The Cpi panel is new “back end” for LoveFineArt.com. IT used to be that each and every product would take about 20 minuets to enter. With this new panel (incorperating secure AJAX), The products can be entered as fast as the site owner can type!

Here is a screen shot of the new back end.

I have also been busy learning the Drupal platform. AS I become more knowledgeable there will be posts and perhaps a special section on this blog devoted to cool new drupalistic methods and problem solving.

AS always, I invite you to leave a coment or sugestion or critisizm.

Dynamically Change the onClick, onChange (or other) Value of an Element

admin — Fri, 15 May 2009 16:38:06 +0000

If you are implementing AJAX, you will likely run into the need to change the functionality of a button dynamically. There is not a whole lot out there on how to quickly accomplish this so here is a simple explanation.

Typically, you have an element such as an “input”, “a” or “select (options)” that has an attribute of “onClick”, “onMouseOver” or “onChange” with a value of some function that will execute upon the event represented by the attribute.

UPDATE: This has been changed to accommodate ie. The following way will work in both Firefox and Internet Explorer:

button_element.onclick = function() {doSomething();};

Thanks! to this post. (note: the answer is at the bottom of the post after some discussion.) Thanks for sharing

To assign a new value to the attribute, you need to identify the element you want to change like this:

elem = document.getElementById(”myElementId”)

Then simply assign the new value to the attribute like this:

elem.attributes["onclick"].value = “myUpdatedFunction(’My parameter’)” ;

Now, if someone clicks on the element, the new updated version of myUpdatedFunction() will be called. Notice that you can even pass a parameter to the function this way. Just be sure to nest your quotes properly.

This method will also work for other attribute types such as onMouseOver, onChange an so on.

I hope this helps.

How to Protect Against SQL Injection

admin — Thu, 07 May 2009 17:44:31 +0000

One of the most common web security problems is SQL Injection. As the name implies, SQL injections works by introducing malicious SQL code where it doesn’t belong. Since it is SQL code you could probably guess that the attacker “injects” his poison via database queries. Web developers often pass some sort of variable to their database queries. Very common are variables that are influenced by user input. User input, to variable, then to query,- get it? So, there is a need for a way of eliminating the user’s ability to manipulate the variable in any way that could effect the query.

What Happens With SQL Injection

By passing an unexpected string of code into a user input, such a form, an attacker send damaging code that causes an otherwise good query to go haywire. For example:

unprotected query is vulnerable

The above snippet of code works as long as users put in the expected information. An attacker, will instead, make clever use of a few extra characters. You likely know by now that SQL requires a semi-colon at the end of each query. PHP automatically adds it in if you omit it. Because of this, the attacker, by closing the string and using the closing parenthesis to finish the query followed by a semi colon, can add an additional query to drop the table.

example of SQL Injection

This is what we in the world of secure web development refer to as a ‘bad thing’!
Scary isn’t it? Attackers have used this method to not only drop tables and destroy records, but also to retrieve highly sensitive information.

How to Protect Against SQL Injection

OK, after that scary bit of information, you’ll be glad to know that protecting yourself is really not all that hard. The hard part is always remembering when and where to do it.

Protecting against SQL Injection is a simple matter of calling a PHP function that renders data safe ( or cleansed ) for use in a query. There are a few methods for cleansing user input in PHP depending on the PHP extension you are using. We will be discussing the mysql extension.The name of the function is:
mysql_real_escape_string(). Notice in this snippet how it is used:

How to protect again SQL Injection

See how easy it is? Just take the user input (in this case a post ) and pass it through the mysql_real_escape_string() function, (as shown on line 7 ). Then use the “cleansed” variable in the query ( as shown on line 9 ).

It is so easy to protect against this, yet it is often overlooked or forgotten. SO remember to use mysql_real_escape_string() to cleanse your input to help guard against SQL Injection.

There is more to learn and be discussed so feel free to stop back or drop me any suggestions or tips to share.

What is AJAX

admin — Fri, 01 May 2009 18:48:08 +0000

Asynchronous Put the “A” in AJAX
The key word is asynchronous.
“1. A process in a multitasking system whose execution can proceed independently, “in the background”. Other processes may be started before the asynchronous process has finished.”—Dictionary.com
Most web pages are rather “choppy” because they need to “refresh” themselves, which is a nice way of saying completely re-load the entire page. This must happen every single time they need to “refresh” their data from the server. You probably have figured out by now that this takes time. What AJAX does is allow a web page to asynchronously update only the portion of the web page that is actually in need of fresh data instead of the entire page. Not only is it much faster, but the effect is that it is much smoother. This is because your eye does not have to endure the “flicker” or “hang ups” of the complete page re-load. Sometime the transaction is so smooth that the user often has no idea that it has happened. Knowing that you have affected the page is often important and a part of good usability. This has lead to coming up with ways to give the user a pleasant visual signal as feedback that they have caused a change on the page.

“J” is for JavaScript
To accomplish the asynchronous there needs to be communication with the web server and the application on the server without reloading the page. Thanks to JavaScript’s XMLHttpRequestObject, we can do that. I will be writing more on this in other articles. Suffice it to say for now; “J” is for JavaScript

“A” is also for AND
AS in Asynchronous JavaScript AND XML

“X” is for XML
The data that is passed back and forth between the server and client’s computer is very often XLM data. However this is not always the case. I very often pass simple text output by PHP code on the server. But anyway, the “X” is for XML.

The basic thing to know is that AJAX is in and of itself not a programming “language” per say. It is a technique or way of doing things that very nicely fits in with the Web 2.0 way of designing web sites. It helps to create a smoother faster more pleasant human experience when it is used properly. Ah! Yes, using it properly. There is a topic for several posts.