What is Digg?4 Comments
- Bogtha, on 10/12/2007, -1/+2There are many adjectives I could use to describe this tutorial. "Superb" is not one of them.
Problem #1: Notice that those are XHTML pages. Notice that the JavaScript is shielded from browsers that don't understand the <script> element type with <!-- and -->. To give you an idea of how unnecessary this is, browsers as old as Netscape Navigator 2.0 and Internet Explorer 3.0 understand <script>. The problem this causes is that under XHTML parsing rules, browsers totally ignore commented out code like this. The only reason he hasn't noticed this bug is because his server tricks browsers into thinking that it's HTML and not XHTML.
Problem #2: he instantiates an XMLHttpRequest object with the code:
> myAjax = new XMLHttpRequest();
This leads to subtle and hard to track down bugs, because that line of code sometimes creates a new variable and sometimes assigns to a global variable. He should be using:
var myAjax = new XMLHttpRequest();
Problem #3: He uses browser detection, not object detection. This code:
> if(browser == "Microsoft Internet Explorer") {
> xhr = new ActiveXObject("Microsoft.XMLHTTP");
...will break in browsers based on Trident that are not Internet Explorer, for example Maxthon. Browser detection is stupid and wrong.
http://www.quirksmode.org/js/support.html
It's also inefficient to do it this way as you are performing the check every single time you instantiate an XMLHttpRequest object. The right way to do this is to create a replacement window.XMLHttpRequest if it doesn't already exist, wrapping the ActiveX call in a try block.
Problem #4: This code contains an XSS security hole:
> printf("Username: ".$_GET['username']);
Problem #5: This is utter nonsense:
> The POST method is much more secure and reliable than the GET method.
If you think you are using POST for security reasons, then you are writing insecure code.
Problem #6: javascript: URIs are stupid and wrong:
>
Problem #7: Unsemantic <div> nonsense:
>
This is what the <h1> element type is for.
Problem #8: Wow.
> Then all the contents of a table called 'phonebook' in that database are called with the MySQL query 'select * from database'.
That's right, he actually pulls *every single record* out of the database, and then examines it in PHP to see if it matches. Ever hear of WHERE clauses?
Problem #9: Ah yes, he *has* heard of WHERE clauses. He's used them to open up even more security holes:
> $rs = @ mysql_query("select * from phonebook where id=".$_GET['qid'])
Please read this:
http://www.unixwiz.net/techtips/sql-injection.html
I can't be bothered going any further, but I'm sure I could find plenty more problems with this tutorial. Learn from it at your peril. I recommend this tutorial instead:
http://www-128.ibm.com/developerworks/web/library/wa-ajaxintro1.html - inactive, on 10/12/2007, -0/+1You have WAY too much free time on your hands.
- htmlguy, on 10/12/2007, -0/+0Yea, if you really examined every single word in the tutorial, then you have way too much free time. And if you think all of that is wrong, why don't you write your own?
- drozofil, on 10/12/2007, -1/+0Buried it as Inaccurate. Problem #8 is enough to me. Security is important. I think preparing another superb tutorial on SQL injection should be nice.
Check out the new & improved 
© Digg Inc. 2009
— Content created and posted by Digg users is