PortalParts.com Site

Experimenting with Yahoo Library and AJAX

Geeklog Topics

I've been using AJAX in my client projects for the past year but have been looking for a libray and well supported framework to replace my custom scripts for a number of months. There are probally 100 such libraries out there now but I've been following the development and community support for the Yahoo Library the past few months. The third developer release is due shortly and it's really looking good.

The library has a quite a few great components that I've been testing out and have a test script using their AJAX component called Connection Manager that you can check out. It's a initial version of an enhanced Account Managment screen that integrates the Account Profile and Preferences on a single page. Using AJAX, the update is done without refreshing the page and using a status message to show the update progress and errors.

MS SQL Support for Geeklog

Geeklog Topics

Geeklog only supports MySQL currently and as part of a client projects, my colleague Randy completed work on new database class and custom functions to allow GL and plugins to work with MS SQL as the database. This was done in such a way as to require a minimal set of changes to GL code and changes, those that have been identified are really non-standard or loosely defined MS SQL syntax. We have completed testing GL 1.4 and many plugins and have several of the GL Development team now looking at our code and would like to extend the testing to other interested developers whom have MS SQL experience.

If you are a developer with MS SQL experience and interested in testing out the MS SQL support, please send me an email or private message and I will add you to our mssql test group where you will have access to the archive. Our plans are to make this part of a future GL release but for now, only want to release this to developers as it does require a reasonable technical knowledge.

Once you have been added to the download group, you will have access to the archive that includes a summary of the needed GL changes, the DB Class file, MS SQL user-defined functions and stored procedures. The MSSQL class and custom functions performs the translation of MySQL syntax to MSSQL and allows transparent support of functions like MySQL's record paging feature 'Limit X offset Y' that is used everywhere in GL and plugins to page through records. If there is sufficient interest, I will create a forum for group discussion and project updates.

Geeklog Developers Tool and Filtering Incoming Data Best Practices

Geeklog Topics

As developers, it's important that we protect our applications and data from all the possible attacks or hostile data that can be entered from a form, URL or Cookie as example. There is a golden rule to not trust any incoming data and only accept data in the expected format. In addition to just testing for numeric data or valid data, there are numerous attacks that we now need to defend against - these attacks include:

  • Cross-Site Scripting (XSS)
  • Cross-Site Request Forgeries (CRSF)
  • SQL Injection
  • SPAM attacks

Geeklog has always prided itself on a strong security focus. It can be a challenge keeping up with the latest exploit  but Geeklog provides common core functions for filtering incoming data, bad language as well as plugins for filter span and ban content from users or IP addresses. As developers, we can not always block or filter out all HTML - example a comment input. This is where it get's more complicated but Geeklog does provide a nice set of core functions to filter out un-wanted HTML, Javascript. Another complication for developers is handling quotes and other special characters.

There are many great resources on the internet that will explain in detail, web development, security and input filtering. The purpose of this article was to share a small script I wrote that can be used to test the various Geeklog library functions and PHP native functions on input data and the resulting effect. The test script can be seen here. You can enter any test data including bad language, html and javascript and test the effects of the various filtering options.

The [Test Data] link will insert some test data and then you can toggle on the various filters and php functions to see the result - both the raw data equivalent and the resulting displayed data. The test data includes a XSS attack where a javascript function is included which could be replaced with a script that executes a more serious exploit.