Posts Tagged ‘mvc’

The way NOT to do JavaScript in Joomla!

While doing a little Sunday afternoon browsing of Twitter, I noticed Amy Stephen warning about a bad technique for using Joomla! with AJAX-style requests. I followed the link (WARNING: don’t use this code!) and found security vulnerabilities right away. Since the blog in question doesn’t support comments, I’m forced to respond here.

First, as Amy pointed out, the technique creates another entry point into Joomla. While this can be used effectively if you know what you’re doing, it’s totally unnecessary for a casual application of asynchronous JavaScript. Next, class, who can tell me what’s wrong with this piece of code?

cExt( $_POST['func'] );

That’s right, we’re passing data straight from our HTTP request (which can come from anywhere in the WORLD) into our application’s logic. Once we get into the the cExt function, the variable is used to execute code with no filtering whatsoever:

function cExt($func = ”){
$cext = null;
if(!empty($GLOBALS['cExt']))
$cext = $GLOBALS['cExt'];
else{
$GLOBALS['cExt'] = new plgCommunityExt();
$cext = $GLOBALS['cExt'];
}
if(empty($func))
return $cext;
else{
if($GLOBALS['ajax'] == true)
$cext->$func();
else
return $cext->$func();
}
}
function cExt($func = ''){

    $cext = null;

    if(!empty($GLOBALS['cExt']))

        $cext = $GLOBALS['cExt'];

    else{

        $GLOBALS['cExt'] = new plgCommunityExt();

        $cext = $GLOBALS['cExt'];

    }

    if(empty($func))

        return $cext;

    else{

        if($GLOBALS['ajax'] == true)

            $cext->$func();

        else

            return $cext->$func();

    }

}

Please, regardless of whether or not you use Joomla, don’t do this! It is a totally insecure way of writing code. Instead, if you are using Joomla, you can at least filter this variable using the following code:

$func = JRequest::getCmd('func', '');

This code will filter the func variable from the request and make sure it only includes numbers, letters, or underscores. Additionally, you should filter $func to make sure a corresponding public function in the plgCommunityExt class exists before attempting to use it to actually execute that function.

As a side note, $GLOBALS is being used an awful lot here. While this isn’t a security risk in and of itself, it is a bad practice that can lead to insecure coding. If the register_globals setting in PHP (going away in PHP 6) is turned on, this becomes a huge security risk as anyone in the world can set the value of cExt to anything.

The post ends with this quick jibe:

That was pretty easy wasn’t it, in order to get quick results you just have to find these shortcuts which will spare you the time and pain of having to read some Joomla-, or pick your favorite, CMS book.

I’d argue that the author of this blog post would not only benefit from reading a book about CMS development, but one on basic PHP security. The technique he describes is insecure in any PHP-based framework or CMS.

Fortunately, you don’t even have to run to the bookstore to find examples of the correct way of doing these things. Louis Landry has a quick example of how to return JSON formatted data simply and securely on this thread, without having to create a special component view. If you do want to use a view, this blog post will show you how to do it.

Finally, if you do want to learn how to add AJAX-style requests to Joomla (without necessarily using JSON), I’ll shamelessly plug my own book. But you don’t even have to buy it, because the sample chapter is indeed the one on JavaScript and Joomla (start on page 168 if you already know Joomla! MVC).

Quick and dirty christmas list – a Joomla! Recipe

Right around Thanksgiving, my mother will usually email asking for a list of Christmas gifts. This previously presented a messy problem: we would have to sit down, come up with a list, send it to Mom, then she would have to circulate the list and coordinate who was buying what. Instead of doing that this year, I told Mom to wait a week. Ten days later, I managed to scrounge up enough time to dash off a Joomla!-based system to handle all of this. Joomla! took care of the basic interface and user management tasks, leaving me to finish off the rest as an MVC component.

First, I installed a standard copy of Joomla! 1.5 with no sample content. I adjusted the parameters of the default rhuk_milkyway template so that it would have green links and headers (Color Variation) with a solid red background (Background Variation). I could have ditched the Joomla! logo in the header, but was lazy and just left it in.

Next, I added an instance of the Login module and unpublished the main menu. Although the main menu was unpublished, I left it in the system as a holding place for the default menu item. I also set Joomla! to disallow account self-registration: only seven specific people would ever be logging into this site and I didn’t want any passers-by creating accounts. I created an additional menu and set the access level to registered users only; no need to show the world any piece of our application. This menu included a link to the User Form Layout which I titled “Change my password” (even though you can do more than change your password from this form).

Finally, I cobbled together a custom MVC component to handle the lists. Before writing a lot of code, I created a menu link pointing to the component on the main menu, then adjusted the login module to redirect to this menu item after authenticating. This makes the login process seamless: you don’t see any parts of or links to the list component before you are logged in. Your only options are to either log in, retrieve your username, or retrieve your password. Once you’ve successfully logged in, you’re immediately taken to the component.

After configuring the login module, I continued to build the component. Before calling the controller, I used this code to make sure the user is logged in before continuing:

if (!$user->id) {
    global $mainframe;
    $mainframe->redirect('index.php', 
      'No peeking! You have to log in first.');
}

Next, I have controller sets the default view to ‘mylist’. This view lists all of your requested items and provides a form for entering more. To set the default view, I overrode the display() function for the controller like this:

function display()
{
    $view = JRequest::getVar('view', '');
    if ($view == '') {
        JRequest::setVar('view', 'mylist');
    }
    parent::display();
}

This way, if ‘task’ in the request is empty, the component automatically calls display(), finds that ‘view’ is also empty, then sets it to ‘mylist’. Now, while the ‘mylist’ view lists all of our requests, it does not display the purchase status of those gifts. In addition to the ‘mylist’ view, there is an ‘item’ view providing a form where you can edit gifts you’ve already added. Links to the ‘item’ view are provided from the ‘mylist’ view.

In contrast to ‘mylist’, the ‘otherlists’ view displays all of the gift requests from all the other users, while listing gift purchases. It also has links you can click to mark yourself as having bought a specific gift. This way, people know not to buy something you’ve already purchasing. The code also makes it possible to mark multiple people as chipping in on a gift.

While the ‘item’ view simply loads a single row from the database, the ‘mylist’ and ‘otherlist’ views have their own data models. The data model for ‘mylist’ is very simple and has only one function, but the ‘otherlists’ model has functions for getting a list of all users, getting the buyers for each item, and getting all of the items listed by everyone else.

While there is more code I would like to add (such as gift suggestions for people who are slow about building their wishlist), following the MVC pattern now will make it easy to do that later. In the meantime, here’s a link to the code as it stands today (NOTE: this is not an installable Joomla! package. Drop com_christmaslist into the frontend components folder, run the .sql, then make an entry into jos_components if you want).