Page 2 of 5
Posted: Thu Oct 26, 2006 7:16 pm
by Luke
nickvd wrote:In situations such as this, I feel that it is not only appropriate, but pretty much required to force javascript to be turned on.
Thoughts?
That's exactly what I was trying to say.
Posted: Thu Oct 26, 2006 9:04 pm
by akimm
I love these sort of conversations, its always nice to read others thoughts, especially when they know more than you. I agree with all of you that say JS is important, I think in the end as someone put it best, AJAX will become an important skill. JS provides so many possibilities, that it seems silly to just ignore them, however, the fact that users can disable it scares me, because, I then must write compensation code so to speak, in order to disallow disabling functionality on the users account.
Thanks for all the replies, I hope you'll continue, as I'm enjoying this discourse very much, and I think there are those among you who agree.
Posted: Fri Oct 27, 2006 3:44 am
by Maugrim_The_Reaper
Never heard of Dojo, I'll have to look it up thanks
Dojo had a new release recently during the Ajax Experience conference (see
http://www.ajaxian.com and down the page a bit). It's a heavyweight toolkit full of widgets, javascript language extensions, AJAX capabilities (though it uses some bind/io name for it), and lots more. It uses a package system to manage what parts get included. Unfortunately (I've been testing) certain elements from the widget library crash Firefox when certain Firefox addons are present - must be some sort of conflict... It's also poorly documented (not a surprise I suppose).
I think in the end as someone put it best, AJAX will become an important skill.
I think so too. That's not the only factor to consider. A good programmer will keep their skillset current. If I had a choice between a web developer who knew AJAX and javascript, and one who just knew PHP, then I'd be more inclined to hire the AJAX knowledgeable one. Give it time and that trend will become apparent IMO...
Incidentally, if Javascript is not your cup of tea, there's PEAR::HTML_AJAX and other similar PHP libraries to make it easier on PHP developers. Personally I don't use any of them - I like cutting to the chase and wrestling with Javascript...
One for Firefox2 - it offers Javascript 7.

Posted: Fri Oct 27, 2006 3:55 am
by Weirdan
One for Firefox2 - it offers Javascript 7.
1.7 actually.
Posted: Fri Oct 27, 2006 4:46 am
by Maugrim_The_Reaper
Cursed be typos, matie.
Posted: Fri Oct 27, 2006 6:01 am
by Jenk
JavaScript's bad rep comes from the various browsers implementing their own flavors.
Just look at the chunk of code needed to instantiate a XMLHttpRequest object on every popular browser for an example..
Then there is the issue of what if JavaScript is off? Or the browser doesn't support the functionality you want, or just plain doesn't have JS?
The above is why I am a firm believer JS is an optional fancy and nothing more.
I use it, I use it a lot, but still regard it as optional and thus my sites offer the same functionality with or without it, it just might be a little more expensive without it.
Posted: Fri Oct 27, 2006 6:51 am
by akimm
The only thing I fear is the knowledgable programmer, with JS can mess with my forms and other programs can't they? I mean just a while back, someone posted code with removes all htmlmarkup 'img' then forces that with some cool trig functions into a fast floating circle on the page. I know this is harmless, but i'm not so far into JS, that this one vulnerbility, seems to be a ominous point of what could happen.
Am I wrong?
Posted: Fri Oct 27, 2006 6:53 am
by akimm
As far as the extension issue in Firefox. Why not use JS to check browser, if its firefox, disable the dojo extensions, use alternitive methods, or none at all. I say this because of firefoxes popularity, its very likely that one point or another,someone willcome by andget a rude awakening, when they get their web crashed.
Posted: Fri Oct 27, 2006 7:27 am
by Maugrim_The_Reaper
That would be up to the Dojo developers...

. In my ideal world, checking the user's browser should never be required. I haven't looked into this in any detail. All I know is that Dojo widgets crash Firefox with the presence of a subset of FF addons. It's enough to make me reconsider using Dojo on a major application despite Dojo's immense library of features.
I should note that I have not as yet tested Dojo 0.4 (new) with Firefox 2 (also new) - this could all be fixed/figured out by now.
Posted: Fri Oct 27, 2006 10:00 am
by Luke
akimm wrote:The only thing I fear is the knowledgable programmer, with JS can mess with my forms and other programs can't they?
Forms can be manipulated without javascript... my web developer extension allows me to change the html on a page, so I can change whatever form I want. That is why it is so important to make sure you validate information before excepting it on the server side and also why javascript or any other client side method of validation is worthless (by itself anyway)
Posted: Fri Oct 27, 2006 10:05 am
by Jenk
notepad allows you to manipulate forms..
Posted: Fri Oct 27, 2006 10:17 am
by Luke
yes... that too.
Posted: Fri Oct 27, 2006 10:32 am
by RobertGonzalez
akimm wrote:The only thing I fear is the knowledgable programmer, with JS can mess with my forms and other programs can't they? I mean just a while back, someone posted code with removes all htmlmarkup 'img' then forces that with some cool trig functions into a fast floating circle on the page. I know this is harmless, but i'm not so far into JS, that this one vulnerbility, seems to be a ominous point of what could happen.
Am I wrong?
This doesn't even require javascript. I can view source your forms page, rewrite what I want, save the HTML to my desktop, load it in my browser and post the form to the page you intended to receive it. Of course this is not always available, but it is certainly a possibility.
This is itself is the main reason I do not rely on client side validation. I might use it, but I will not rely on it. The server gets the data, the server checks the data...
Posted: Fri Oct 27, 2006 11:38 am
by akimm
Everah Said:
This doesn't even require javascript. I can view source your forms page, rewrite what I want, save the HTML to my desktop, load it in my browser and post the form to the page you intended to receive it. Of course this is not always available, but it is certainly a possibility.
I'm very aware that you* can alter site A) source code, but i'm saying, thats not to say you can then add it to my server. Thereby changing my sites HTML elements.
And notepad I assume is the same, unless there is something I don't know.[/quote]
Posted: Fri Oct 27, 2006 11:56 am
by RobertGonzalez
It doesn't have to be on your server. What I am saying is this... lets say I have a form on my site and you view the source, then save the source to your computer. you can actually modify the form and send it to my server anyway, right from your computer. Try this... take this HTML and save it to your desktop, then load it into your browser and submit it. It goes to my server and actually executes my PHP code...
Code: Select all
<html>
<head><title>Who's form is this anyway?</title></head>
<body>
<form method="post" action="http://www.codecompare.com/form_recipient.php">
<p>Make sure the number below is 5 then hit submit:</p>
<p><input type="text" name="number" value="5" /></p>
<p><input type="submit" name="send-button" value="Send this form to where ever" /></p>
</form>
</body>
</html>
Here is the code in
form_recipient.php
Code: Select all
<html>
<head><title>Who's form is this anyway?</title></head>
<body>
<?php
if (isset($_POST['number']) && $_POST['number'] == 5) {
echo '<p>You cracked my form!</p>';
} else {
echo '<p>Nothing came to this or you didn\'t enter 5!</p>';
}
?>
</body>
</html>
Now if I am not checking my form inputs on the server, all of this information gets sent to my server, and if the script is not prepared to handle it or check for it, it may actually take input from who knows where and use it against your server.