Web Developer

petak, 14. prosinca 2007.

Inner HTML

Some like to DOM their way around. Others prefer the simplicity of innerHTML. Julien Lecomte, of Yahoo!, wrote up his thoughts on the problems with innerHTML.

Julien first points out some issues:

* Improper handling of the innerHTML property can enable script-injection attacks on Internet Explorer when the HTML string contains a script tag marked as defered: script defer...script
* Setting innerHTML will destroy existing HTML elements that have event handlers attached to them, potentially creating a memory leak on some browsers.
* You don’t get back a reference to the element(s) you just created, forcing you to add code to retrieve those references manually (using the DOM APIs…)
* You can’t set the innerHTML property on all HTML elements on all browsers (for instance, Internet Explorer won’t let you set the innerHTML property of a table row element)

He then puts together Douglas Crockfords purge and some code to clean up script tags, arriving at:

YAHOO.util.Dom.setInnerHTML = function (el, html) {

el = YAHOO.util.Dom.get(el);
if (!el || typeof html !== 'string') {
return null;

}

// Break circular references.

(function (o) {

var a = o.attributes, i, l, n, c;

if (a) {

l = a.length;

for (i = 0; i = l; i += 1) {

n = a[i].name;

if (typeof o[n] === 'function')

o[n] = null;

}

}

}

a = o.childNodes;

if (a) {

l = a.length;

for (i = 0; i = l; i += 1) {

c = o.childNodes[i];

// Purge child nodes.

arguments.callee(c);

// Removes all listeners attached to the element via YUI's addListener.

YAHOO.util.Event.purgeElement(c);
}

}

})(el);

// Remove scripts from HTML string, and set innerHTML property

el.innerHTML = html.replace(//ig, "");

// Return a reference to the first child

return el.firstChild;

};

petak, 22. lipnja 2007.

Create a Site Authentication Login with PHP and MySQL

Setting up restricted access to certain pages is a breeze. Here I will show a quick way to control who can view specific pages using a form based login system and a MySQL database of allowed users.

First we will set up the database table for storing the user login information. We will be encrypting the passwords later on, here is the SQL code for the table:

CREATE TABLE `users` (
 `id` int(4) NOT NULL auto_increment,
 `username` varchar(32) NOT NULL,
 `password` varchar(32) NOT NULL,
 PRIMARY KEY  (`id`)
) ENGINE=MyISAM

I insert the users manually through my phpMyAdmin front-end. If I am doing a site that has multiple users, then chances are good that I will be using a content management system, such as Drupal. I use this authentication method for smaller sites and do not find it necessary to write a script for inserting users, but creating one would be relatively simple. The one thing you need to be sure to do when inserting a new user is to select MD5 under the function section for the password (see screenshot below). MD5 is a form of encryption that is easy to implement with PHP.

phpMyAdmin Screenshot

Now we have the MySQL end taken care of and we can focus on securing the pages. For each page that we only want to be seen by authorized eyes, we need to put in some PHP code. I put this code snippet as the first text tag. If you are using PHP4, then the code must be the very first text at the top of the web document.

 session_start();

 if (!isset($_SESSION['is_logged_in'])) {
   header("Location:login.php");
   die();
   }
?>

This snippet checks to see if a user has been authenticated for this session. If not, then the user is redirected to a login form and the script dies. If the user has been authenticated for this session, then the page continues to display the contents. Now we need to create a login page. The code above specifically refers to login.php so we will name the new page just that. Here is my code for the login page:

form method="POST" action="check.php"
Username:

input type="text" name="username"

Password:
input type="password" name="password"

input type="submit" id="subbut" value="Submit"
/form

You should notice in the above code that the form is posting to a file named check.php. This file will query our previously created MySQL database to verify the user's credentials. Here is how it is coded:

 session_start();

 if($_SERVER['REQUEST_METHOD'] == "POST") {
   mysql_connect("mysql.example.com", "username", "password");
   @mysql_select_db("database") or die( "Unable to connect to database");
   $result = mysql_query("SELECT * FROM users WHERE username='" .
     $_POST['username'] . "' AND
     password=md5('" . $_POST['password'] . "')");

   if(mysql_num_rows($result) > 0) {
     $_SESSION['is_logged_in'] = 1;
   }
 }

 if(!isset($_SESSION['is_logged_in'])) {
   header("location:login.php");
 } else {
   header("location:authenticated.php");
 }
?>

The username and password are user and password respectively. On the authenticated test page you are given to option of logging out. This was done by creating a file named logout.php with the following code:

 session_start();
 session_destroy();

 header("location:authenticated.php");
?>

iRiver NV - A gadget I'd like to have

Here’s the new iRiver NV in all its glorious smoked Korean shininess. It is my dream gadget! With a 7-inch screen and two SD ports, this thing can do anything except calling: it has an integrated Global Positioning System unit, terrestrial digital TV, FM radio and plays back every format under the sun: MP3, WMA, OGG, ASF, WMV, MPG, Xvid and H.264. I especially like its sexy monochrome display in the thumb control, which will not only show its functions but also show icons indicating what kind of turn you have to do next. And if that wasn’t cool enough, check out the beautiful Bang & Olufsenesque remote control

Web Service

The W3C defines a Web service (many sources also capitalize the second word, as in Web Services) as a software system designed to support interoperable Machine to Machine interaction over a network. Web services are frequently just Web APIs that can be accessed over a network, such as the Internet, and executed on a remote system hosting the requested services. The W3C Web service definition encompasses many different systems, but in common usage the term refers to clients and servers that communicate using XML messages that follow the SOAP-standard. Common in both the field and the terminology is the assumption that there is also a machine readable description of the operations supported by the server, a description in the WSDL. The latter is not a requirement of a SOAP endpoint, but it is a prerequisite for automated client-side code generation in the mainstream Java and .NET SOAP frameworks. Some industry organizations, such as the WS-I, mandate both SOAP and WSDL in their definition of a Web service.

Core specifications

The specifications that define Web services are intentionally modular, and as a result there is no one document that contains them all. Additionally, there is neither a single, nor a stable set of specifications. There are a few "core" specifications that are supplemented by others as the circumstances and choice of technology dictate, including:

: An XML-based, extensible message envelope format, with "bindings" to underlying protocols. The primary protocols are HTTP and HTTPS, although bindings for others, including SMTP and XMPP, have been written.
: An XML format that allows service interfaces to be described, along with the details of their bindings to specific protocols. Typically used to generate server and client code, and for configuration.
: A protocol for publishing and discovering metadata about Web services, to enable applications to find Web services, either at design time or runtime.

WSDL

Recently I have been really interested into WSDL. It is a fascinating concept. Here is something about it for those of you who have never heard of it.

The Web Services Description Language (WSDL, pronounced 'wiz-dull' or spelled out, 'W-S-D-L') is an XML-based language that provides a model for describing Web services. Version 1.1 has not been endorsed by the World Wide Web Consortium (W3C). Version 2.0, for which several drafts have been released, is expected to become a W3C recommendation. WSDL is an XML-based service description on how to communicate using web services. The WSDL defines services as collections of network endpoints, or ports. WSDL specification provides an XML format for documents for this purpose. The abstract definition of ports and messages is separated from their concrete use or instance, allowing the reuse of these definitions. A port is defined by associating a network address with a reusable binding, and a collection of ports define a service. Messages are abstract descriptions of the data being exchanged, and port types are abstract collections of supported operations. The concrete protocol and data format specifications for a particular port type constitutes a reusable binding, where the messages and operations are then bound to a concrete network protocol and message format. In this way, WSDL describes the public interface to the web service. WSDL is often used in combination with SOAP and XML Schema to provide web services over the Internet. A client program connecting to a web service can read the WSDL to determine what functions are available on the server. Any special datatypes used are embedded in the WSDL file in the form of XML Schema. The client can then use SOAP to actually call one of the functions listed in the WSDL. XLang is an extension of the WSDL such that "an XLANG service description is a WSDL service description with an extension element that describes the behavior of the service as a part of a business process" [1]. Resources or services are exposed using WSDL by both Web Services Interoperability (WS-I Basic Profile) and WSRF framework.