Posts Tagged ‘javascript’

While doing a little Sunday afternoon browsing of Twitter, I noticed Amy Stephen warning about a bad technique for using Joomla! with AJAX-style requests. I followed the link (WARNING: don’t use this code!) and found security vulnerabilities right away. Since the blog in question doesn’t support comments, I’m forced to respond here.

First, as Amy pointed out, the technique creates another entry point into Joomla. While this can be used effectively if you know what you’re doing, it’s totally unnecessary for a casual application of asynchronous JavaScript. Next, class, who can tell me what’s wrong with this piece of code?

cExt( $_POST['func'] );

That’s right, we’re passing data straight from our HTTP request (which can come from anywhere in the WORLD) into our application’s logic. Once we get into the the cExt function, the variable is used to execute code with no filtering whatsoever:

function cExt($func = ''){

    $cext = null;

    if(!empty($GLOBALS['cExt']))

        $cext = $GLOBALS['cExt'];

    else{

        $GLOBALS['cExt'] = new plgCommunityExt();

        $cext = $GLOBALS['cExt'];

    }

    if(empty($func))

        return $cext;

    else{

        if($GLOBALS['ajax'] == true)

            $cext->$func();

        else

            return $cext->$func();

    }

}

Please, regardless of whether or not you use Joomla, don’t do this! It is a totally insecure way of writing code. Instead, if you are using Joomla, you can at least filter this variable using the following code:

$func = JRequest::getCmd('func', '');

This code will filter the func variable from the request and make sure it only includes numbers, letters, or underscores. Additionally, you should filter $func to make sure a corresponding public function in the plgCommunityExt class exists before attempting to use it to actually execute that function.

As a side note, $GLOBALS is being used an awful lot here. While this isn’t a security risk in and of itself, it is a bad practice that can lead to insecure coding. If the register_globals setting in PHP (going away in PHP 6) is turned on, this becomes a huge security risk as anyone in the world can set the value of cExt to anything.

The post ends with this quick jibe:

I’d argue that the author of this blog post would not only benefit from reading a book about CMS development, but one on basic PHP security. The technique he describes is insecure in any PHP-based framework or CMS.

Fortunately, you don’t even have to run to the bookstore to find examples of the correct way of doing these things. Louis Landry has a quick example of how to return JSON formatted data simply and securely on this thread, without having to create a special component view. If you do want to use a view, this blog post will show you how to do it.

Finally, if you do want to learn how to add AJAX-style requests to Joomla (without necessarily using JSON), I’ll shamelessly plug my own book. But you don’t even have to buy it, because the sample chapter is indeed the one on JavaScript and Joomla (start on page 168 if you already know Joomla! MVC).

Framework conflicts are a common problem people run into when using jQuery. While jQuery provides some tricks you can use to get around this, you may still run into issues when Joomla! generates MooTools effects. While writing the second edition of Learning Joomla! Extension Development, I decided to do a chapter on JavaScript and look into this problem a little bit more closely. It turns out you have to make sure MooTools loads before jQuery, then use one of the tricks detailed on jquery.com.

Fortunately, this can be done in Joomla! consistenly, so I documented it. Packt decided to release the entire JavaScript chapter as the sample PDF for my book, so you can read everything you need to know about implementing this technique for free!

Flot – Want to build dynamic graphs without using Flash? Flot is ready. It’s lightweight and pretty quick to pick up. I’m using it for a project where people can add and remove as many data series as they wish. Throw in some JSON calls and the results are pretty impressive. Although I can’t show off that project here, take a look at some of the posted examples. It’s based on jQuery and produced by a Danish firm.

MacFUSE and SSHFS – One of the biggest problems I’ve run into with using Macs is that Finder cannot mount FTP and SFTP sites as writable volumes. While you can get clients like CyberDuck that will allow you to do transfers, editing the files for an entire website this way can be tedious. Using MacFUSE and SSHFS together can get around this limitation. SSHFS is still in a very early release and I did run into some stability issues when mounted all day long, but the core functionality is there.

Selenium IDE – Testing and debugging web interfaces has always been a bit of a pain, but Selenium IDE can make the process much, much faster. Open up the IDE, click record, then start filling out forms and clicking on elements. Then you can save your test and reopen it later to run it whenever you wish. I did run into a few issues where Javascript generated DOM elements confused the debugger (might be a timing issue), but overall it is a very powerful and easy to use Firefox extension. You can also use Selenium Core on other browsers. I haven’t tried this, but it appears that you can record the test using the IDE in Firefox, then use that same test with Core with the other browsers. Thanks to Laura Thomson for mentioning this one at the DC PHP Conference this past fall.