First, as Amy pointed out, the technique creates another entry point into Joomla. While this can be used effectively if you know what you’re doing, it’s totally unnecessary for a casual application of asynchronous JavaScript. Next, class, who can tell me what’s wrong with this piece of code?

cExt( $_POST['func'] );

That’s right, we’re passing data straight from our HTTP request (which can come from anywhere in the WORLD) into our application’s logic. Once we get into the the cExt function, the variable is used to execute code with no filtering whatsoever:

function cExt($func = ''){

    $cext = null;

    if(!empty($GLOBALS['cExt']))

        $cext = $GLOBALS['cExt'];

    else{

        $GLOBALS['cExt'] = new plgCommunityExt();

        $cext = $GLOBALS['cExt'];

    }

    if(empty($func))

        return $cext;

    else{

        if($GLOBALS['ajax'] == true)

            $cext->$func();

        else

            return $cext->$func();

    }

}

Please, regardless of whether or not you use Joomla, don’t do this! It is a totally insecure way of writing code. Instead, if you are using Joomla, you can at least filter this variable using the following code:

$func = JRequest::getCmd('func', '');

This code will filter the func variable from the request and make sure it only includes numbers, letters, or underscores. Additionally, you should filter $func to make sure a corresponding public function in the plgCommunityExt class exists before attempting to use it to actually execute that function.

As a side note, $GLOBALS is being used an awful lot here. While this isn’t a security risk in and of itself, it is a bad practice that can lead to insecure coding. If the register_globals setting in PHP (going away in PHP 6) is turned on, this becomes a huge security risk as anyone in the world can set the value of cExt to anything.

The post ends with this quick jibe:

I’d argue that the author of this blog post would not only benefit from reading a book about CMS development, but one on basic PHP security. The technique he describes is insecure in any PHP-based framework or CMS.

Fortunately, you don’t even have to run to the bookstore to find examples of the correct way of doing these things. Louis Landry has a quick example of how to return JSON formatted data simply and securely on this thread, without having to create a special component view. If you do want to use a view, this blog post will show you how to do it.

Finally, if you do want to learn how to add AJAX-style requests to Joomla (without necessarily using JSON), I’ll shamelessly plug my own book. But you don’t even have to buy it, because the sample chapter is indeed the one on JavaScript and Joomla (start on page 168 if you already know Joomla! MVC).

Fortunately, this can be done in Joomla! consistenly, so I documented it. Packt decided to release the entire JavaScript chapter as the sample PDF for my book, so you can read everything you need to know about implementing this technique for free!

MacFUSE and SSHFS – One of the biggest problems I’ve run into with using Macs is that Finder cannot mount FTP and SFTP sites as writable volumes. While you can get clients like CyberDuck that will allow you to do transfers, editing the files for an entire website this way can be tedious. Using MacFUSE and SSHFS together can get around this limitation. SSHFS is still in a very early release and I did run into some stability issues when mounted all day long, but the core functionality is there.

Selenium IDE – Testing and debugging web interfaces has always been a bit of a pain, but Selenium IDE can make the process much, much faster. Open up the IDE, click record, then start filling out forms and clicking on elements. Then you can save your test and reopen it later to run it whenever you wish. I did run into a few issues where Javascript generated DOM elements confused the debugger (might be a timing issue), but overall it is a very powerful and easy to use Firefox extension. You can also use Selenium Core on other browsers. I haven’t tried this, but it appears that you can record the test using the IDE in Firefox, then use that same test with Core with the other browsers. Thanks to Laura Thomson for mentioning this one at the DC PHP Conference this past fall.