Rasmus Lerdorfs 30 second AJAX Tutorial

Minimal-XMLHttpRequest (AJAX) >Tutorial von Rasmus Lerdorf:

List: php-general
Subject: [PHP] Rasmus‘ 30 second AJAX Tutorial – [was Re: [PHP] AJAX & PHP]
From: Rasmus Lerdorf
Date: 2005-07-21 22:50:56
Message-ID: 42E026D0.3090601 () lerdorf ! com
[Download message RAW]

I find a lot of this AJAX stuff a bit of a hype. Lots of people have
been using similar things long before it became „AJAX“. And it really
isn’t as complicated as a lot of people make it out to be. Here is a
simple example from one of my apps. First the Javascript:

function createRequestObject() {
var ro;
var browser = navigator.appName;
if(browser == „Microsoft Internet Explorer“){
ro = new ActiveXObject(„Microsoft.XMLHTTP“);
ro = new XMLHttpRequest();
return ro;

var http = createRequestObject();

function sndReq(action) {
http.open(‚get‘, ‚rpc.php?action=’+action);
http.onreadystatechange = handleResponse;

function handleResponse() {
if(http.readyState == 4){
var response = http.responseText;
var update = new Array();

if(response.indexOf(‚|‘ != -1)) {
update = response.split(‚|‘);
document.getElementById(update[0]).innerHTML = update[1];

This creates a request object along with a send request and handle
response function. So to actually use it, you could include this js in
your page. Then to make one of these backend requests you would tie it
to something. Like an onclick event or a straight href like this:


That means that when someone clicks on that link what actually happens
is that a backend request to rpc.php?action=foo will be sent.

In rpc.php you might have something like this:

switch($_REQUEST[‚action‘]) {
case ‚foo‘:
/* do something */
echo „foo|foo done“;


Now, look at handleResponse. It parses the „foo|foo done“ string and
splits it on the ‚|‘ and uses whatever is before the ‚|‘ as the dom
element id in your page and the part after as the new innerHTML of that
element. That means if you have a div tag like this in your page:

Once you click on that link, that will dynamically be changed to:

foo done

That’s all there is to it. Everything else is just building on top of
this. Replacing my simple response „id|text“ syntax with a richer XML
format and makine the request much more complicated as well. Before you
blindly install large „AJAX“ libraries, have a go at rolling your own
functionality so you know exactly how it works and you only make it as
complicated as you need. Often you don’t need much more than what I
have shown here.

Expanding this approach a bit to send multiple parameters in the
request, for example, would be really simple. Something like:

function sndReqArg(action,arg) {
http.open(‚get‘, ‚rpc.php?action=’+action+’&arg=’+arg);
http.onreadystatechange = handleResponse;

And your handleResponse can easily be expanded to do much more
interesting things than just replacing the contents of a div.


Rasmus Lerdorfs 30 second AJAX Tutorial

RunPHP Mediawiki-Extension

Ich bin auf die Idee gekommen, dass es schön wäre, wenn man aus einem Mediawiki-Artikel heraus PHP-Code ausführen könnte. Also habe ich kurzerhand eine kleine Mediawiki-Extension erstellt welche PHP-Code, der in „<php>phpinfo();</php>“ eingebettet ist, ausführt.

Das ganze ist natürlich mehr als ein Sicherheitsrisiko und darf nur in einer wirklich vertrauensvollen Umgebung eingesetzt werden.

Die Extension findet sich auf Mediawiki.org


Aua – Da ist jemand auf die Idee gekommen, man knnte mailto:-Links für Popups missbrauchen, indem man den Link in ein Meta-Refresh oder auch in einen Image-Tag packt. Hoffentlich kommen die Spammer nicht auf die gleiche Idee. Dagegen hilft nämlich momentan kein Popup-Blocker…



XSS (Cross Site Scripting) Cheatsheet

„If you don’t know how XSS (Cross Site Scripting) works, this page probably won’t help you. This page is for people who already understand the basics of XSS attacks but want a deep understanding of the nuances regarding filter evasion. This page will also not show you how to mitigate XSS vectors or how to write the actual cookie/credential stealing/replay/session riding portion of the attack. It will simply show the underlying methodology and you can infer the rest.“ – Eine ständig erweiterte Liste mit allen Möglichen Cross-Site-Scripting Attacken… Keine diese sollte man bei einer Webanwendung zulassen.

XSS (Cross Site Scripting) Cheatsheet: Esp: for filter evasion – by RSnake

XSS (Cross Site Scripting) Cheatsheet

Really Simple History (RSH) framework für AJAX

„The Really Simple History (RSH) framework makes it easy for AJAX applications to incorporate bookmarking and back and button support. By default, AJAX systems are not bookmarkable, nor can they recover from the user pressing the browser’s back and forward buttons. The RSH library makes it possible to handle both cases.
In addition, RSH provides a framework to cache transient session information that persists after a user leaves the web page. This cache is used by the RSH framework to help with history issues, but can also be used by your own applications to improve application performance. The cache is linked to a single instance of the web page, and will disappear when the user closes their browser or clear their browser’s cache.
RSH works on Internet Explorer 6+ and Gecko-based browsers, like Firefox. Safari is not supported.“ – AJAX Anwendung Bookmark-kompatibel machen

Really Simple History (RSH) framework für AJAX

AJAX MAssive Storage System (AMASS)

„The AJAX MAssive Storage System (AMASS) uses a hidden flash applet to allow JavaScript AJAX applications to store an arbitrary amount of sophisticated information on the client side. This information is permanent and persistent; if a user closes their browser or navigates away from the web site, the information is still present and can be retrieved later by the web page. Information stored by web pages is private and locked to a single domain, so other web sites can not access this information.
AMASS makes it possible to store an arbitrary amount of sophisticated data, way pass the 4K limit of cookies or the 64K limit of Internet Explorer’s proprietary client-side storage system. An AMASS-enabled web site can store up to 100K without user permission. After 100K, users are prompted on whether the web site can store the requested amount of information. Users can approve or deny the storage request. The AMASS system informs the client-side application on whether the storage request was allowed or denied. In my own testing I have been able to store up to ten megabytes with good performance; I’m sure even more information can be stored, I just have never tried beyond this amount.
AMASS works on Internet Explorer 6+ and Gecko-based browsers, like Firefox. Users must have the Flash plugin version 6+ installed to use AMASS; Flash 6+ is installed in 95% of machines, however.“ – Kleiner Trick wenn mal mehr Daten auf Client-Seite gespeichert werden müssen. Das sollte aber soweit es geht vermieden werden…

AJAX MAssive Storage System (AMASS)

AJAX MAssive Storage System (AMASS)