PHP Session security
By Shawn Bradley | August 9, 2008
While working on a recent app, I came across a problem that led me down the road of exploring PHP sessions. I had no idea what a complex subject this would turn out to be. In order to record my findings, I am making a list of the most relevant and helpful URLs I’ve encountered in this search.
- Chris Shiflett has a great article on session fixation attacks. Some of the links in the comments are very useful, as well.
Topics: Web Development, Software Development | No Comments »
Beware string length limitation when retrieving HTML via Ajax in Firefox!
By Shawn Bradley | August 1, 2008
I recently had a major mind-bending problem that took several days to diagnose. It began as the usual scenario - some code works fine in one browser, but pukes in the other. This time, however, the offending browser was Firefox, surprisingly. I will elaborate…
The particular feature of the app I was working on is based on the “HTML Message” pattern. In this case, the code is to retrieve an edit form for a record in the database selected by the user. Basically, the user clicks an “edit” link, and the code returns the entire HTML form, with all form fields filled out with current values for that record. This gives the responsiveness of Ajax without resorting to reading the current values from the DOM.
Everything was working great, until I started testing with real data. As I did, I began to notice odd behavior in Firefox (really, it wasn’t IE this time!) Because of the structure of my form, it wasn’t apparent at first what was actually happening. It gave the appearance of random bugs. However, after spending several days taking apart my code and putting it back together, it eventually became clear that all these problems were occurring because my HTML incomplete when it arrived from the server. Clued in to this possibility, I inserted a simple alert() statement to check the length of the returned HTML string, and Bingo! In FF, the length is limited to 4096! For some reason, this limitation is not imposed when running in IE.
Further research and digging in the documentation for Prototype revealed that I was not using the best approach anyway, so I should consider this a mixed blessing. My original approach was to use the Ajax.Request object, like this:
var ajax = new Ajax.Request(
url,
{
method: "get",
parameters: pars,
onFailure: function(){ handleFailure(); },
onComplete: function(transport){ handleComplete(transport.responseText); }
});
It is this approach that results in the limitation on the length of the returned text. This is apparently built into Protoype somewhere, but I have no intention of attempting to figure out where or why. I discovered a better approach:
var ajax = new Ajax.Updater(
{success: 'form_div', failure: 'msg_div'},
url,
{
method: 'get',
parameters: pars,
onLoading: function(){ handleLoading(); },
onComplete: function(){ /* no handler needed! */ }
});
This is much simpler, although it doesn’t appear simpler at first glance. The major difference is that I don’t have to explicitly handle the returned text. I simply specify the ID of the DIV that is to be updated with the retrieved HTML, and Prototype does the rest! If an error occurs, the message is stuffed into the specified error message DIV, as well. This is much cleaner, elegant, and works in both browsers with no limitation on the length of returned text.
Topics: Web Development, Software Development | No Comments »
PHP $_FILES array mysteriously empty when uploading a file
By Shawn Bradley | July 17, 2008
Recently, a mysterious problem crept into the web application I was developing. This particular app is a membership management tool, part of which is designed to track eligibility for membership in the organization. This particular organization requires its members to provide documentation of their attendance at continuing education events. This documentation is provided to the organization via uploading scanned documents into the member’s profile.
All was well, and working quite nicely, until one day files would no longer upload. After several hours of hair-pulling, I narrowed it down to the fact that the $_FILES variable was empty after the upload form was submitted. The big question, of course, was WHY??
After trying all of the obvious debugging techniques, all to no avail, I resolved to start with a blank slate and put my code back together one small piece at a time. Eventually, I discovered that if I named my form something different than what it was before, the upload works, and $_FILES is not empty. Further investigation revealed that the culprit was some of my slick Javascript UI code.
I had written a JS function designed to display a feedback GIF, and at the same time, disable the form and change its opacity so it appears grayed out. Due to an earlier debugging session wherein IE was not disabling form controls correctly, I had commented out the code that was responsible for disabling all form controls. After resolving that problem, I restored that code, and once again my slick form feedback UI was working marvelously. However, this fix had the unexpected consequences of torpedoing my file uploading!
Basically, what was wrong is this: When the form controls are disabled by Javascript just prior to the form submission, PHP doesn’t recieve the form data correctly. This resulted in the empty $_FILES array. Removing the code that was disabling my form was all it took to get file uploading working fantastically again. Bottom line - be very careful with slick UI tricks. They can bite you!
Topics: Web Development, Software Development | No Comments »
Drawing vector graphics with javascript
By Shawn Bradley | September 30, 2007
In my trolling, I came across this javascript library for drawing graphics. It could be useful in the future…
Topics: Web Development | No Comments »
md4, md5 and sha-1 cryptography in Javascript
By Shawn Bradley | September 15, 2007
Here is a fabulous tutorial on using cryptography in Javascript to create a secure login system.
Topics: Web Development, Software Development | No Comments »
Filtered advertising
By Shawn Bradley | September 15, 2007
There are some great suggestions at this blog for filtering Adsense advertising based on several visitor parameters.
Topics: Blogging | No Comments »
Whitespace in XML - Firefox vs. IE
By Shawn Bradley | September 15, 2007
Today, for a change, I am actually more approving of this particular difference between IE and Firefox. In this case, Firefox is a little TOO rigid in standards adherence, in my opinion. I’m talking about how the two handle whitespace in XML documents.
Adhering to the absolute letter of the standards law, Firefox interprets whitespace as empty text nodes. The end result here is that you cannot format your XML document for readability without introducing a bunch of bogus nodes when the data is processed in Firefox. IE doe things differently - it treats whitespace as most programmers are accustomed to treating whitespace, namely, it ignores it!
Therefore, to get the two browsers to produce the same results, I had to introduce a new function into my AjaxCaller wrapper that would eliminate blank text nodes after receiving the XML from the server. The following code worked very well:
_cleanWhiteSpace: function(node) {
var notWhitespace = /S/;
for (var i=0; i < node.childNodes.length; i++)
{
var childNode = node.childNodes[i];
if ((childNode.nodeType == 3)&&
(!notWhitespace.test(childNode.nodeValue)))
{
// that is, if it's a whitespace text node
node.removeChild(node.childNodes[i]);
i--;
}
if(childNode.nodeType == 1)
{
// elements can have text child nodes of their own
this._cleanWhiteSpace(childNode);
}
}
},
Topics: Web Development, Software Development | No Comments »
Image map coordinates calculated incorrectly by IE7
By Shawn Bradley | September 6, 2007
OK, this one really pissed me off!!! For days now, I have had a problem with a complex image map. As usual, it’s the same old tune - it works fine in Firefox, but barfs in IE. I have an image map that displays several East Texas counties. As the user rolls over the different counties, additional information is displayed in a separate DIV. I got it working fine in Firefox, but when I tested it in IE, the coordinates were incorrect. My DIV would only appear if I rolled over a part of the polygon, but most of the polygon is ignored completely.
I surfed forums and blogs for hours searching for a clue. When I found nothing, I decided to completely re-construct the page from scratch and locate the point where the problem occurs. I went back to Photoshop and exported my image map, checking it in IE immediately. At this point, it worked fine. I then began modifying the resulting code, testing each change along the way. I made a bunch of changes, most of which were formatting, and tried again in IE. Mysteriously, the problem appeared! This was quite puzzling since the changes were only formatting, not functional. I rolled back these changes, and it worked again. Weird…
So my next step was to incrementally re-institute my formatting changes (I tend to be a bit anal about indents and white space), testing each change in IE. Everything worked fine, until I changed the indenting on the block of code that defines the image map. As soon as I indented these lines, the problem returned. When I removed the indenting, aligning the code to the far left, the problem went away. Further experimentation revealed that as long as the <area> tags are left aligned, the map works fine in IE7. Otherwise, the coordinates are calculated incorrectly in the image map.
Topics: Web Development, Software Development | No Comments »
Careful with filenames when deploying to Linux
By Shawn Bradley | September 5, 2007
Today, I lost a substantial amount of time troubleshooting a site deployment. My development platform is Windows, and the site was fully functional on my system. However, when I deployed it to the production server, suddenly files were not able to load. After attempting numerous variations of the path settings, it finally dawned on me that one of the files had a capital letter. In Linux, this matters! As soon as I renamed the file, everything worked fine.
Topics: Uncategorized | No Comments »
Unit testing VBA projects
By Shawn Bradley | August 27, 2007
One of my current projects requires exclusive development in Microsoft Access using VBA. Having put my hand to the plow, so to speak, of extreme programming, I was quite unwilling to return to traditional methods of development. Yet it appeared I was constrained by my inability to drive a VBA app from outside of the Access IDE.
Fortunately, after some poking around on Sourceforge, I was able to locate an NUnit-based project graciously contributed by rharwood. This project is called VBAUnit (naturally) and is available here. The owner of VBAUnit explains that this was a quick and dirty implementation, since VBA development is not a mainstay, but it certainly did the trick for me. I would not have survived this current project with even a modicum of sanity had I not discovered this valuable contribution. If you are doing, or plan to do, any work in VBA, I highly recommend utilizing this resource.
Topics: Software Development | No Comments »
« Previous Entries