That's exactly what I was trying to say.nickvd wrote:In situations such as this, I feel that it is not only appropriate, but pretty much required to force javascript to be turned on.
Thoughts?
Opinion poll.
Moderator: General Moderators
- akimm
- Forum Contributor
- Posts: 460
- Joined: Thu Apr 27, 2006 10:50 am
- Location: Ypsilanti Michigan, formally Clipsburgh
I love these sort of conversations, its always nice to read others thoughts, especially when they know more than you. I agree with all of you that say JS is important, I think in the end as someone put it best, AJAX will become an important skill. JS provides so many possibilities, that it seems silly to just ignore them, however, the fact that users can disable it scares me, because, I then must write compensation code so to speak, in order to disallow disabling functionality on the users account.
Thanks for all the replies, I hope you'll continue, as I'm enjoying this discourse very much, and I think there are those among you who agree.
Thanks for all the replies, I hope you'll continue, as I'm enjoying this discourse very much, and I think there are those among you who agree.
- Maugrim_The_Reaper
- DevNet Master
- Posts: 2704
- Joined: Tue Nov 02, 2004 5:43 am
- Location: Ireland
Dojo had a new release recently during the Ajax Experience conference (see http://www.ajaxian.com and down the page a bit). It's a heavyweight toolkit full of widgets, javascript language extensions, AJAX capabilities (though it uses some bind/io name for it), and lots more. It uses a package system to manage what parts get included. Unfortunately (I've been testing) certain elements from the widget library crash Firefox when certain Firefox addons are present - must be some sort of conflict... It's also poorly documented (not a surprise I suppose).Never heard of Dojo, I'll have to look it up thanks
I think so too. That's not the only factor to consider. A good programmer will keep their skillset current. If I had a choice between a web developer who knew AJAX and javascript, and one who just knew PHP, then I'd be more inclined to hire the AJAX knowledgeable one. Give it time and that trend will become apparent IMO...I think in the end as someone put it best, AJAX will become an important skill.
Incidentally, if Javascript is not your cup of tea, there's PEAR::HTML_AJAX and other similar PHP libraries to make it easier on PHP developers. Personally I don't use any of them - I like cutting to the chase and wrestling with Javascript...
One for Firefox2 - it offers Javascript 7.
- Maugrim_The_Reaper
- DevNet Master
- Posts: 2704
- Joined: Tue Nov 02, 2004 5:43 am
- Location: Ireland
JavaScript's bad rep comes from the various browsers implementing their own flavors.
Just look at the chunk of code needed to instantiate a XMLHttpRequest object on every popular browser for an example..
Then there is the issue of what if JavaScript is off? Or the browser doesn't support the functionality you want, or just plain doesn't have JS?
The above is why I am a firm believer JS is an optional fancy and nothing more.
I use it, I use it a lot, but still regard it as optional and thus my sites offer the same functionality with or without it, it just might be a little more expensive without it.
Just look at the chunk of code needed to instantiate a XMLHttpRequest object on every popular browser for an example..
Then there is the issue of what if JavaScript is off? Or the browser doesn't support the functionality you want, or just plain doesn't have JS?
The above is why I am a firm believer JS is an optional fancy and nothing more.
I use it, I use it a lot, but still regard it as optional and thus my sites offer the same functionality with or without it, it just might be a little more expensive without it.
- akimm
- Forum Contributor
- Posts: 460
- Joined: Thu Apr 27, 2006 10:50 am
- Location: Ypsilanti Michigan, formally Clipsburgh
The only thing I fear is the knowledgable programmer, with JS can mess with my forms and other programs can't they? I mean just a while back, someone posted code with removes all htmlmarkup 'img' then forces that with some cool trig functions into a fast floating circle on the page. I know this is harmless, but i'm not so far into JS, that this one vulnerbility, seems to be a ominous point of what could happen.
Am I wrong?
Am I wrong?
- akimm
- Forum Contributor
- Posts: 460
- Joined: Thu Apr 27, 2006 10:50 am
- Location: Ypsilanti Michigan, formally Clipsburgh
As far as the extension issue in Firefox. Why not use JS to check browser, if its firefox, disable the dojo extensions, use alternitive methods, or none at all. I say this because of firefoxes popularity, its very likely that one point or another,someone willcome by andget a rude awakening, when they get their web crashed.
- Maugrim_The_Reaper
- DevNet Master
- Posts: 2704
- Joined: Tue Nov 02, 2004 5:43 am
- Location: Ireland
That would be up to the Dojo developers...
. In my ideal world, checking the user's browser should never be required. I haven't looked into this in any detail. All I know is that Dojo widgets crash Firefox with the presence of a subset of FF addons. It's enough to make me reconsider using Dojo on a major application despite Dojo's immense library of features.
I should note that I have not as yet tested Dojo 0.4 (new) with Firefox 2 (also new) - this could all be fixed/figured out by now.
I should note that I have not as yet tested Dojo 0.4 (new) with Firefox 2 (also new) - this could all be fixed/figured out by now.
Forms can be manipulated without javascript... my web developer extension allows me to change the html on a page, so I can change whatever form I want. That is why it is so important to make sure you validate information before excepting it on the server side and also why javascript or any other client side method of validation is worthless (by itself anyway)akimm wrote:The only thing I fear is the knowledgable programmer, with JS can mess with my forms and other programs can't they?
- RobertGonzalez
- Site Administrator
- Posts: 14293
- Joined: Tue Sep 09, 2003 6:04 pm
- Location: Fremont, CA, USA
This doesn't even require javascript. I can view source your forms page, rewrite what I want, save the HTML to my desktop, load it in my browser and post the form to the page you intended to receive it. Of course this is not always available, but it is certainly a possibility.akimm wrote:The only thing I fear is the knowledgable programmer, with JS can mess with my forms and other programs can't they? I mean just a while back, someone posted code with removes all htmlmarkup 'img' then forces that with some cool trig functions into a fast floating circle on the page. I know this is harmless, but i'm not so far into JS, that this one vulnerbility, seems to be a ominous point of what could happen.
Am I wrong?
This is itself is the main reason I do not rely on client side validation. I might use it, but I will not rely on it. The server gets the data, the server checks the data...
- akimm
- Forum Contributor
- Posts: 460
- Joined: Thu Apr 27, 2006 10:50 am
- Location: Ypsilanti Michigan, formally Clipsburgh
Everah Said:
And notepad I assume is the same, unless there is something I don't know.[/quote]
I'm very aware that you* can alter site A) source code, but i'm saying, thats not to say you can then add it to my server. Thereby changing my sites HTML elements.This doesn't even require javascript. I can view source your forms page, rewrite what I want, save the HTML to my desktop, load it in my browser and post the form to the page you intended to receive it. Of course this is not always available, but it is certainly a possibility.
And notepad I assume is the same, unless there is something I don't know.[/quote]
- RobertGonzalez
- Site Administrator
- Posts: 14293
- Joined: Tue Sep 09, 2003 6:04 pm
- Location: Fremont, CA, USA
It doesn't have to be on your server. What I am saying is this... lets say I have a form on my site and you view the source, then save the source to your computer. you can actually modify the form and send it to my server anyway, right from your computer. Try this... take this HTML and save it to your desktop, then load it into your browser and submit it. It goes to my server and actually executes my PHP code...
Here is the code in form_recipient.php
Now if I am not checking my form inputs on the server, all of this information gets sent to my server, and if the script is not prepared to handle it or check for it, it may actually take input from who knows where and use it against your server.
Code: Select all
<html>
<head><title>Who's form is this anyway?</title></head>
<body>
<form method="post" action="http://www.codecompare.com/form_recipient.php">
<p>Make sure the number below is 5 then hit submit:</p>
<p><input type="text" name="number" value="5" /></p>
<p><input type="submit" name="send-button" value="Send this form to where ever" /></p>
</form>
</body>
</html>Code: Select all
<html>
<head><title>Who's form is this anyway?</title></head>
<body>
<?php
if (isset($_POST['number']) && $_POST['number'] == 5) {
echo '<p>You cracked my form!</p>';
} else {
echo '<p>Nothing came to this or you didn\'t enter 5!</p>';
}
?>
</body>
</html>