A passionate discussion from today.
Developer 1: "AJAX is a set of tools,
use it where it really helps, not just
for the sake of it."
Developer 2: "Its almost 2011, we can
build rich desktop like applications
in the browser, we should use AJAX
everywhere and make a single page
application with everything in it an
AJAX powered component."
I can understand things so far. Here's where I don't get it.
Developer 1: "Using AJAX to make a
single page app, we will have to write
our own code to manage bookmarking and
browser back forward buttons"
Developer 2: "No problem, that's
easily doable. It's worth it because
AJAX solves the problems we had with
normal GET/POST, the statelessness.
With a one page AJAX app, you can
maintain context, you don't need
hidden variables, heavy session
management as you would when you moved
between pages"
Is Dev 2 right? Has AJAX really solved problems with how the 'web' normally works?
No.
First of all, there's no problem with how the Web works. It was designed to be stateless, and even with a single page AJAX app, the Web is still stateless.
The problem is with how Developers approach managing state in the stateless environment of the web. Single page AJAX applications definitely make managing state much easier for developers (actually, it sidesteps the problem entirely) that are used to being able to manage state easily in a desktop application.
Just remember, though, that if you have a single page AJAX application and you forget to send the state back to the server for persistence, you lose it...
In my personal opinion, single page AJAX applications also have code management/readability/maintainability issues that far outweigh the state management benefits. I'd rather learn how to properly pass state from page to page in my application that deal with the headache of a single page that contains all of my code.
You answered your own question with: "AJAX is a set of tools, use it where it really helps"
AJAX has solved a lot of problems by streamlining user experience and allowing the developer to control the flow server-side and client-side scripting. There is a development cost to utilizing AJAX to its maximum potential that its viability is dependent on the project, requirements, performance expectations, etc.
Node.js is very likely to revolutionize web development and web scripting as well. If there is a long-term scope to web development projects, keep the cost-benefits of upgrading to future technologies in mind as well.
There is a time and place for everything. Writing web pages to not load a new page AT ALL 90% of the time is not appropriate. Certainly there are exceptions for web applications such as Google Docs etc... but AJAX solves a need, and that is "I only want to update a small portion of my page, I don't need to load the entire page again."
You have to understand the needs of your users with the realization of expectations. If I make a comment, I do not really expect the entire page to load again. It's not necessary. If I want to visit another article on the page then I would expect it to go to a different page entirely.
Do not think of AJAX as an all or nothing solution. It fits specific needs just like traditional web pages do, and the two can be married to perfection if that is understood. Otherwise you end up having to write code for a solution to a problem that does not normally exist.
Related
I have taught myself HTML/CSS and some JavaScript as a hobby, and have reached the point where I am comfortable building a clean simple website. The company I work for (we do nothing related to coding) has a website that is quite outdated so naturally I saw this as an opportunity for my first live site. I approached my Managers at work to take a look at my first mock up and they loved it and want me to revamp our current site.
The one concern they have with me being a rookie is the issue of web security. Essentially they want to make sure that the website I build leaves no vulnerability for someone to hack through our server, start editing our website, etc.
There are no interactive components to the current website. I plan to build this website with only HTML and CSS, and perhaps add some JavaScript later down the road once I progress in my learning a bit more. There are no account logins or areas to enter personal information anywhere on the site.
My question comes down to this -- what can I do to ensure that the website I build is not leaving our company vulnerable? I have done a lot of searching around Stack Overflow and other websites but I am not confident I am finding the correct information.
Details that might make a difference:
Our company website is hosted through godaddy.com
Our website is currently on Wordpress, but I will probably not use Wordpress for the new website
I greatly appreciate all of your help!
since there should be no direct interacting with the server ex PHP and AJAX only HTML CSS and js there should be no security issue, as js and HTML can't edit/delete/read server files, only server-side programming can. eventually you may want to invest in PHP almost no website is complete without PHP or AJAX. take me for example, I used to use just HTML, CSS, and js. then I wanted to do more.. log form answers to a file, show different pages based on the query string. these things are virtually impossible in a HTML, CSS, and js only environment. I would also recommend atleast getting free protection from cloud flare.. they give free shared hosting wildcard SSL, and free DDOS protection, granted for a business you might want to invest a little more than free but free would be a good starting point
also you could pay someone to test the vulnerability of your company, take for example OurMine. a legal hacking group.. you pay them to test your security and they do just that. (they claim they don't log anything that they get) otherwise there might be vulnerabilities you may not be aware of
When you are concerning about just AJAX call, I would help you out for following suggestion regarding "Function access rule from AJAX".
By adding "_" as a prefix for Function name, we can prevent function to be called from The Web publicly. This is the best practice when we need some specific function to be accessed via AJAX only.
Kindly, refer my answer given in other question.
[Website Security: How to learn?
This all goes back to some of my original questions of trying to "index" a webpage. I was originally trying to do it specifically in java but now I'm opening it up to any language.
Before I tried using HTML unit and other methods in java to get the information I needed but wasn't successful.
The information I need to get from a webpage I can very easily find with firebug and I was wondering if there was anyway to duplicate what firebug was doing specifically for my needs. When I open up firebug I go to the NET tab, then to the XHR tab and it shows a constantly updating page with the information the server is updating. Then when I click on the request and look at the response it has the information I need, and this is all without ever refreshing the webpage which is what I am trying to do(not to mention the variables it is outputting do not show up in the html of the webpage)
So can anyone point me in the right direction of how they would go about this?
(I will be putting this information into a mysql database which is why i added it as a tag, still dont know what language would be best to use though)
Edit: These requests on the server are somewhat random and although it shows the url that they come from when I try to visit the url in firefox it comes up trying to open something called application/jos
Jon, I am fairly certain that you are confusing several technologies here, and the simple answer is that it doesn't work like that. Firebug works specifically because it runs as part of the browser, and (as far as I am aware) runs under a more permissive set of instructions than a JavaScript script embedded in a page.
JavaScript is, for the record, different from Java.
If you are trying to log AJAX calls, your best bet is for the serverside application to log the invoking IP, useragent, cookies, and complete URI to your database on receipt. It will be far better than any clientside solution.
On a note more related to your question, it is not good practice to assume that everyone has read other questions you have posted. Generally speaking, "we" have not. "We" is in quotes because, well, you know. :) It also wouldn't hurt for you to go back and accept a few answers to questions you've asked.
So, the problem is?:
With someone else's web-page, hosted on someone else's server, you want to extract select information?
Using cURL, Python, Java, etc. is too painful because the data is continually updating via AJAX (requires a JS interpreter)?
Plain jQuery or iFrame intercepts will not work because of XSS security.
Ditto, a bookmarklet -- which has the added disadvantage of needing to be manually triggered every time.
If that's all correct, then there are 3 other approaches:
Develop a browser plugin... More difficult, but has the power to do everything in one package.
Develop a userscript. This is much easier to do and technologies such as Greasemonkey deal with the XSS problem.
Use a browser macro technology such as Chickenfoot. These all have plusses and minuses -- which I won't get into.
Using Greasemonkey:
Depending on the site, this can be quite easy. The big drawback, if you want to record data, is that you need your own web-server and web-application. But this server can be locally hosted on an XAMPP stack, or whatever web-application technology you're comfortable with.
Sample code that intercepts a page's AJAX data is at: Using Greasemonkey and jQuery to intercept JSON/AJAX data from a page, and process it.
Note that if the target page does NOT use jQuery, the library in use (if any) usually has similar intercept capabilities. Or, listening for DOMSubtreeModified always works, too.
If you're using a library such as jQuery, you may have an option such as the jQuery ajaxSend and ajaxComplete callbacks. These could post requests to your server to log these events (being careful not to end up in an infinite loop).
I'm not a Web Developer, and I don't know a lot about the web application frameworks out there.
Recently, however, I got into Wt. It's a web framework written in C++ (that's why I got into it), but what impressed me the most is the idea it's based on.
Its API is different from any web framework I ever heard of (CppCMS, Yii, Django, Pylons, Zope, Drupals, Java Servlets, Struts ...): a new Application object gets created for any user session, and it stays alive until the session expires (only at this point the Application object gets destroied). This Application object works like a desktop window: you put Widgets in it (widgets like forms, links, labels ...); when the user clicks on a link (when the HTTP server receives a new GET/POST request) a function gets called on the object tight to the user session (in a nice Signal/Slot way), which can remove/add/change the widgets, thus changing the page the user will see.
As I said, I'm not very skilled with web frameworks, I develop almost only desktop applications; maybe for this reason I think this paradigm behind Wt is great.
I'd like to know what are the pros and cons of this framework API in respect to the other ones, and if there are other frameworks (also in other languages) based on the same concepts.
Wt is a great framework for its intended range of applications.
Wt is great for :
web apps tightly coupled to a session, i.e.
made to be accessed only by users that are logged in (except the landing page)
display a lot of user-dependent content (so not for a wiki)
relying heavily on state
web apps that need to have a lot of controls/buttons and user input.
For exemple, I plan to write a browser MMORPG. Pages will all be having a state tied to a user, and there will be a lot of buttons. Wt is perfect for that. I used to be a Ruby on Rails developper, and switching to Wt for this kind of app was a great moment. It's increadibly cumbersome to design forms with traditional frameworks that try to enforce pure REST.
Wt would also be perfect for a control interface on some process. For example, an interface allowing your customers to configure their adword campain, etc.
Of course, using Wt is not perfect regarding control and separation, but it allows extremely fast development when you need only the "classic" features (buttons, editors, etc.)
So as a rule of thumb, if you are trying to put a desktop application on the web (which is a great idea, removing the need to deploy and update on your customers' machines), Wt is a good candidate.
Also, if you are interfacing with an existing C++ codebase, Wt has an advantage.
I think this is generally bad idea.
Web application is very different from GUI one and there are many reasons:
99% of the web is about the content rather then about iteration.
You go to web to get or share content rather then to do some real time interaction
like drawing a picture, working with spreadsheet or anything else.
Web is content driven rather then "event driven" interactive application.
This has strong impact on how do you create most of web - you bring information
to user rather then interact with him.
The server and client programming is very different
There are some web GUI applications like e-Mail, Chats clients but to perform well
they require very good separation between the client side written
in high quality Java Script and the high quality server side backend that is used
over AJAX for content retrieval.
Hiding this separation like Wt does or (other known frameworks) lead to crappy
software and generally brings more problems then solutions in long run.
Because it should be very clear separation between server side and client side jobs
as some require real time response and some don't.
When you try to solve all this in one wait for problems. Note, there are client-server
solutions for GUI (see X-Server as example) but unlike web they designed for this
and rather work more like IPC rather then client-server solitions.
The web is stateless most of the time.
Or to be more correct the state usually keeps quite small amount of data.
Creation of instant session object is nice idea until you need to...
Scale up save state in long terms then this model becomes not so good, of course
this not "forced" model by Wt but it is general concept that fits certain concept
and some does not.
Bottom Line
If you want to design good GUI like web application. Start learning JavaScript and use good GUI JavaScript frameworks that fit well to GUI even driven design. Then combine them with some server side API using some interaction RPC model like Json-RPC, XML-RPC and other
AJAX tools.
This is the way to do things right for highly interactive applications.
If your application is more content oriented then most of server side web
frameworks do great job - concentrate on server side with its great tools suitable
for the job.
All in one solution? It just does not work...
Disclosure: I'm developer of CppCMS and I think Wt just goes in wrong way.
ASP.NET is similar; it has the same goal to make web development look like desktop application development.
This question is for web developers and architects.
How do you think is it a good or bad idea to have a website where you're able to edit all the templates (HTML, CSS, JS, images..) right from the admin panel?
In this case if you update website often, you don't need to search for a local version of your website on you development machine, search for a specific page, make modifications, commit it to source control server, make deployment.. Instead, all you need is just right click on the page or any element on this page, click Edit, update a piece of HTML and click SAVE - 30 seconds maximum - all from your browser ;)
You still can have version control system with this approach and rollback any template which was modified by mistake by 2 mouse clicks on a website.
I personally like this approach and need to know your opinion. So what do you think?
Note, we are talking about big websites which have to be updated often, multilingual ones etc.
Realworld web-applications which use this approach:
Wordpress
vBulletin
Personally, I think it would depend on the complexity of the website.
What you're talking about here is directly editing the structure (and potentially behaviour) of a live website. Sure, it may take longer to make the changes on your development server before rolling them out but if there's any chance of breaking either the appearance or functionality of the site then I'd think definitely think twice.
You shouldn't be allowed to modify the entire layout of your site through the site itself in my opinion. The reasons being the lack of version control and the inability to preview what you are doing, which translate into the inability to come back to an older version. Plus if you modify it locally, you are allowed to make errors that break everything, a luxury you can't always afford if you're doing it directly through the website.
Being able to add/remove content through the website is great though, it would be very painful to update a blog by modifying your HTML each time!
I once created a site that did exactly that. (Well, without any option for source control - had to learn that one the hard way...) Looking back at what I did there, a few things come to mind:
It was a traditional website with information about my sports club, that only changed occasionally, not a web app in the modern sense.
I wanted to be able to apply fixes even though I had no access to my dev machine (because it was a private project, I was at work, and ftp connections were not allowed by the comapny proxy).
For those specific reasons, the approach was a good solution. Today I would use one of the many good frameworks for this purpose (Joomla, Drupal etc) instead of coding it myself.
On important item: I was able to edit the pages that were used to generate the main site, but not the generation program or my admin pages. For those, I had to use my dev machine and upload file changes by ftp.
I think it is a good approach, if done correctly (my implementation certainly wasn't)
Editing HTML/CSS/JS files through your web browser can make things easier, as long as the editing implementation is neat, organized, idiot-proof, and keeps track of revisions.
A major issue to consider is security. The inability to modify actual files from the content management system in most software packages is a security precaution.
Learn to use a version control system effectively and efficiently. Tools like git or bzr can take care of a lot of the tedious stuff automatically, like package building, uploading, etc.
I hate it. Web development, much like the web servers themselves, shouldn't be "comfortable". Web development should be a mother gentle caressing scary experience. It should sound, look, even taste dangerous.
Neophyte web developers should be put through their paces learning the subtler aspects of their chosen text editor before they are even allowed to open a web browser; and not be allowed near a graphical web browser before 6 months of working only using lynx for debugging.
Laziness is our bane. No more, I say.
Edit: This is, perhaps, a bit tangential to the issue at hand. It should also be mentioned that visual identity that is too simple to change will change too often, leading to confused and frustrated users.
I want to design a website but I don't know from where to start.
Is there a beginners' guide to start with?
How much dedication do you hope to provide? If you merely want to design a single website, quickly and dirty, there's a plethora of open source web templates available online, with clean and basic HTML/XHTML design strategies that you could modify, and provide content for.
Such as this and that.
Alternatively, if you would like to design your own websites from scratch and have full technical knowledge in the field (the proper way). Pick up a book or two on HTML/XHTML/XML, with documentation on content management systems, php, etc.
You'd soon find that in the beginning your development would be gradual and at best, slow. If you put in sufficient effort, you would find that you get to the point where you can quickly design sites confidently, which best illuminate your content.
You should be familiar with this and this
Try this Web Design from Scratch
I understand by website you mean some kind of web-app. And by design you mean, not just the page design but the design of the web-app. First, you have to understand the anatomy of a web-app. The major components are:
Database is used to store user and application data for long term. A database provides query functionality (SQL), backup on one installation and restore on another, triggers when a data entry changes, and constraints that must be satisfied by the data tables.
Web Server, also called Http Server hosts the web application.
Web Browser such as Internet Explorer or Firefox.
When a user types a URL into the web browser, the web server forwards the URL to the corresponding web application. The web application performs the needed tasks (which may involve reading or writing into the database) and returns a new html page to the user via www.
Some components of the web application are:
Database access objects are representations of objects that encapsulate interaction with database tables.
Business Logic is the main logic of the application. Here we implement the search functionality using Lucene library, for example.
Action Handler handles a http request received from the user, for example when she types a URL or when she clicks on the "submit" button. These are Http GET and POST requests. The Action Handler uses the business logic to drive the actions.
Data view on the web brower is constructed using some template library (which usually produces javascript user interface code for the web browser). For interactivity one may use Ajax techniques.
Almost all web-apps separate the model, view and controller of a web application. The view deals with the display, the model deals with data and the controller deals with control/functioning. See http://www.uidesign.net/Articles/Papers/UsingMVCPatterninWebInter.html.
Several frameworks implement MVC. The most easy ones to get started are Ruby on Rails and Django (over which an open source social network called Pinax too is written). There are much more comprehensive frameworks and libraries in java too (for a single web appl you may need to join several of these libraries), such as spring, webwork, tapestry, lucene (for search), sitemesh (for page decoration). Many java web apps run on tomcat web server and with mysql database.
I started with http://w3schools.com. Make sure you're using Firefox and the Firebug addon. Get your hands dirty then get familiar with the web design community.
I have CSS Mastery by Andy Budd on my desk and it's a good, readable, short, yet deep guide to CSS.
Don't Make me think has also become my mantra of web design.
Overall, you're going to produce a lot of crap--as I have--before you get good. If you have someone to look over what you're doing that'll be the best help. Personal drive will matter the most in the long run though, so stick with it and keep learning.
Liz Castro has a good book too.