digg

Facebook Connect Join Digg About

Ajax & PHP without using the XmlHttpRequest Object

phpit.net Sometimes you just don't really need the XmlHttpRequest object, but want the Ajax-ish effect. This article might be a good read then.

Who dugg this? Made popular Nov 22, 2005

Digg DudeWhat is Digg?

Digg is a place for people to discover and share content from anywhere on the web. Digg surfaces the best stuff as submitted and voted on by the community. Take the Tour to learn more.

35 Comments

show profanity settings
expand all
  • Metal_Hurlant, on 10/12/2007, -0/+2There has been a few such hacks popping up, partly for the "because we can" factor, and partly because XMLHttpRequest has an overly strict security model ( tags can load scripts from any domain, yet XMLHttpRequest objects can only hit back the exact hostname the main page comes from..)

    One example was a hack using the IMG tag, which returns about 32 bits of data (16 bits as the width, 16 bits as the height of an otherwise empty image. yup, it's not pretty.)

    Anyway, while we're looking at that site, the "live demo" setup appears to be vulnerable to XSS attacks.
    That's the thing where another (evil) site puts a URL such as
    http://www.phpit.net/demo/php%20and%20ajax%20remix/getfile.php?url=http%3Cimg%20onerror=alert(document.cookie)%20src=1%3E&el=a
    in an invisible iframe.
    Except instead of showing your cookies in an alert dialog, it logs them and uses whatever authentication credentials may be hiding in there.
    It's sorta cute that this particular web server appears to have some lame "anti-XSS" module that blocks requests that contain SCRIPT tags. only 320 other tags, parameters and encoding combinations to block and it'll actually be useful.

    The *real* way to prevent XSS is to always encode user input before displaying it back into a page.
    PHP functions such as htmlentities() are your friends.

    That is all. You can now resume your "Ajax(tm) will change the world" dance.
  • james.britt, on 10/12/2007, -0/+2Check out this quote from the article: "Heck, even Microsoft has gotten wind of the Ajax buzz, and is actually moving toward web-based applications as well."

    Microsoft invented the damn thing, and has been offering Web-based apps sinece '97 or '98.

    And clearly this is referring to something other than Asynchronous JavaScript and XML.

    This is clever, and very handy, but calling it AJAX? Nope.
  • DennisP, on 10/12/2007, -0/+1I'm the author of the article, so let me address a few issues.

    "It seems the author has some weird way of doing traditional Ajax-stuff, since his IE 6.0 gives him ActiveX popups. I've never seen any ActiveX popups on MY Ajax websites?"

    Actually, this depends on your security settings. I've got my ActiveX settings on 'Prompt', which means I must click 'yes' before any Ajax works. If I don't allow it, Ajax doesn't work at all, and my method does still work (no ActiveX). If you have ActiveX completely disabled, you won't even get a prompt, but the Ajax simply doesn't work.

    If the XmlHttpRequest object was built in natively (like it will be in IE 7), there wouldn't be any problem. My method is simple another way of doing it, which does work fine IE6.

    "Microsoft invented the damn thing, and has been offering Web-based apps since '97 or '98."

    I knew I was going to get called on this. I know that Microsoft invented it, and has been using it for years, but until recently, they didn't really pay much attention to it, nor did anyone else for that matter. Only since GMail has Ajax really been gaining ground, and now even Microsoft is fully heading for the web-based apps. Remember the leaked memo's a few days ago?

    "Looks like a real filthy way-of-doing."

    I never said it was a great way of doing it, but it's just another way. It does have a slight advantage over Ajax, when it comes to IE6 (see above).

    "I don't get it. Where's the X in AJAX if XmlHttpRequest isn't used? That's stupid."

    Well, you're right; what I've done isn't Ajax at all, and should be called 'Remote Scripting', but it's just easier to call it Ajax. Also, most implementations of Ajax aren't really Ajax (Asynchronous JavaScript and XML), because most don't use XML at all.

    "This really isn't worth a digg and it seems that people are getting far too over excited about AJAX and are digging things which don't really deserve front page coverage."

    I must admit that I was a bit surprised when I noticed a sudden increase to my website, and the amount of comments. Can't say I'm not pleased about it though. ;)

    Anymore comments, suggestions or general complaints, feel free to leave a comment on the article itself, or contact me through Digg.
  • buckaroo, on 10/12/2007, -0/+1Interesting hack. Another one is to use IFrames:
    http://ajaxpatterns.org/IFrame_Call

  • headzoo, on 10/12/2007, -0/+0Oops, lost my examples. Passing data to the PHP script like this:

    <input type = "button" onclick = "ajax_do ('page1.php?dbquery=select');

    Of course you can use JavaScript to set what comes after the ? based on user input or whatever.

    You can also change the MIME type for .js to PHP by adding a line like this to your .htaccess file:

    AddType application/x-httpd-php5cgi js

    Whatever directoy that .htaccess file is in, all files ending in .js will be treated as PHP scripts. So the above example would look like this:

    <input type = "button" onclick = "ajax_do ('page1.js?dbquery=select');

    I think that's just a bit nicer looking than showing that your requesting a PHP script and not JavaScript.
  • spiralhead, on 10/12/2007, -0/+0Nice hack (not that the XMLHttpRequest method isn't hackish) but what if you need to make a post request? Doesn't seem like this would work for that.
  • headzoo, on 10/12/2007, -0/+0I've been doing something similar to what the author is doing. Some of the things not mentioned are:

    You can pass variables to the PHP script in the URL, and use $_GET or $_REQUEST to retrieve the values. That is pretty important since the author's example doesn't show how to send data to the PHP script, only how to get static data back. Using his example, you can do this:

  • danlin, on 10/12/2007, -0/+0agree. this is cool. much easier than creating an object.
  • headzoo, on 10/12/2007, -0/+0It's also a good way to access a database using JS. Have a PHP script doing all the queries to the database, and echo/print/whatever JS variables like:

    $memberId = mysql_result ($result, 0, 'id');
    ?>
    var memberId = '';

    Then your JS scripts have access to the returned values.
  • psylence, on 10/12/2007, -0/+0Easily the most significant achievement in web technology since Ajax.
  • indradeep, on 10/12/2007, -0/+0To add on to buckaroo's earlier post, the IFrames hack to XmlHttpRequest can work pretty well with ASP.NET.

    Essentially, a ASP.NET control can be extended to create a hidden IFRAME with it. Whenever an event occurs on the control (be it checkbox / textbox / select , etc), a script posts the changed value back into the IFRAME which belongs to the control. There is a server handler which takes the request forwarded by the hidden IFRAME for the control, and sends the response in a prearranged format.

    This information can then be parsed, and populated back into the control using another javascript.

    Since each control is independent, multiple contols can be simultaneously loading info from the server.
  • jianshi, on 10/12/2007, -0/+0I don't get it. Where's the X in AJAX if XmlHttpRequest isn't used? That's stupid.
  • awecz, on 10/12/2007, -0/+0Well, I don't know what should I say ;) We're developing information system based on web technologies. We have been using this approach for ages, we started with that in 1999, when there was IE 4.01 and IIS was used almost anywhere. As the time flowed we added more and more JavaScript(tm) and currently we're looking for something faster, because despite 3Ghz CPUs the the browser are still not fast enough. We'll probably go for Java ...

    I'm sorry for slight off-topic, now to the article - I don't think that it's a good idea to create SCRIPT element each time they're loading the script ...
  • geminitojanus, on 10/12/2007, -0/+0The only problem I see with this is that with Ajax you have a bit more options when it comes to security; transparent encryption's something I've seen work with Ajax.. not so sure how you'd build an encryption model for this kind of setup.

    For totally frivilous data (read: flags), this is a great idea. Set a flag, send it in a get request, simple, likely won't break the PHP on the other side. You get into sending text across the get request and I start to see all kinds of nasty things happening with non-escaped strings, certain characters, etc.

    This will very likely make me rethink a few of my websites, as this approach will be easier on older browsers and probably more cross-browser friendly (seeing as everyone can't get along on what to call the XmlHTTPRequest object [thanks Mozilla! even though Microsoft had a name for it when they invented it, you feel the need to give it another name, just because it deals with ActiveX. Cut us a break and rename the object for the love of god].)
  • SecularG, on 10/12/2007, -0/+0post request wouldn't work since your not doing a straight HTTP request like with XMLHttpRequest. You are requesting to include a script.

    I was actually doing this method before the whole AJAX buzz and heard about XMLHttpRequest. Like the XMLHttpRequest a whole lot better.
  • willin, on 10/12/2007, -0/+0Actually thats pretty cool.
  • headzoo, on 10/12/2007, -0/+0crap, once again, lost my example:

    $memberId = mysql_result ($result, 0, 'id');
    ?>
    var memberId = '<?php echo $memberId; ?>';
  • diggy123, on 10/12/2007, -0/+0so what if its old..if it useful today then its duggable
  • zakainsworth, on 10/12/2007, -0/+0Very nice... +Digg
  • br0ken1128, on 10/12/2007, -0/+0Ok I admit this is a litty dirty but it was EXACTLY what I needed for a particular project.. just a simple little way of refreshing a div content every two minutes, ajax is a little complex for our simple need .. this suited it perfectly
  • jool, on 10/12/2007, -0/+0Well technically the X just stands for XML and you could just as well pass it using that method. It just feels so wrong to do it that way, adding html code just to make a call. And you don't get the actually useful features of normal AJAX. That is for instance getting an xml object which you can use xpath on. This is more for simple tricks than a serious application.
  • n8f8, on 10/12/2007, -0/+0Clever hack but I'll keep it in mind.
  • juliepigeon, on 10/12/2007, -0/+0From a developers point of view, XmlHttpRequest is the best method to retrieve data from other pages. Before the popularization of XmlHttpRequest/AJAX there were many methods of doing the same, however they were all glorified horrid hacks that slowed the whole process down. I used to use the iframe method and/or the crazy attach script method and both are completely redundant in my eyes now.

    This really isn't worth a digg and it seems that people are getting far too over excited about AJAX and are digging things which don't really deserve front page coverage.
  • bhaugh, on 10/12/2007, -0/+0What happens when you take AJAX, make it synchronous (by omitting the use of the XMLHttpRequest object), and feed non-XML data through it?

    AJaX - A - X = J.

    You're left with Javascript.

    Seriously, guys, it's a good article, and maybe it needed to be dugg so all the web programming n00bs out there could witness the hotness of responsible Javascript sans AJAX, but THIS. IS. YEARS. OLD.
  • Kam3k, on 10/12/2007, -0/+0seems to limit you to doing a GET request when POST would be more appropriate, i.e when data is being modified on the server. The prototype library is a much better approach I think (http://prototype.conio.net/) , partly because you can have an ajax submitted form degrade gracefully to use a conventional request when javascript isn't available. This handles serialization of forms etc, and allows links to create a POST request when that is safer than using a normal link.
  • veracon, on 10/12/2007, -0/+0I've been using this for ages, it's actually quite neat. That's why I rarely bother creating an XML object (except of course when doing POST).
  • sedgemonkey, on 10/12/2007, -0/+0Bummer that ooooooooooooold hacks like this get dugg. Lame.
  • codeNinja, on 10/12/2007, -0/+0and a Digg from me as well for the nice, level-headed response.
  • bkool, on 10/12/2007, -0/+0Cool, but there are lots of ways to do AJAX-ish type stuff without using XmlHttpRequest. The first one I saw and used was doing a POST/GET to a page in a hidden iframe which return data in javascript form, calling a javascript function in the parent page.

    Although, these other methods do seem kind of hackish compared to using XMLHttypRequest.
  • BenDuffy, on 10/12/2007, -0/+0Your response to the rabid codemongers was great DennisP, for that I Digg u.

    Cheers
  • ajh1138, on 10/12/2007, -0/+0Indeed, DennisP, good joarb on the response. Concise, non-reactionary. Dugg.
  • Ramon, on 10/12/2007, -2/+0Looks like a real filthy way-of-doing.

    It seems the author has some weird way of doing traditional Ajax-stuff, since his IE 6.0 gives him ActiveX popups. I've never seen any ActiveX popups on MY Ajax websites?
  • inactive, on 10/12/2007, -4/+0Stupid AJAX everything!
    We get it, its "AJAXIFIED", enough already!
  • redguy, on 10/12/2007, -4/+0WHAT THE ***** IS AJAX

  • Add a Comment

    Login or register to comment!
    Or, sign-in super fast with your Facebook account ...

© Digg Inc. 2009 — Content created and posted by Digg users is dedicated to the public domain | Terms of Use Updated | Privacy Policy
DIGG, DIGG IT, DUGG, DIGG THIS, Digg graphics, logos, designs, page headers, button icons, scripts, and other service names are the trademarks of Digg Inc.