SAJAX Implementation

In the e-Genda system we use an AJAX frame work called SAJAX. This framework allows developers to allow javascript functions to access PHP, python, coldfusion ...etc, functions directly through AJAX. It is pretty easy to write your own AJAX function handlers but using SAJAX lets you bypass the steps needed to make you own and allows you to jump right into the developement.

[FOR PHP] When using SAJAX the user must first inlude the sajax.php file into their source. Then the functions which the developer wants to access via javascript must be written or included. Finally the user must add the lines:

sajax_init(); //init sajax

...followed by...

sajax_export( [function name as string], [function name as string],.... [last function name as string]); (build javascript wrappers for functions)

...followed by...

sajax_handle_client_request(); //setup client request code

In the "HEAD" of you HTML/PHP template add a "script" tag for your javascript. In side the "script" tag add the line:

<? sajax_show_javascript(); //prints all javascript code to handle javascript to php function calls?>

to be continued...

Site Security

In the site layout the main file which handles the loading of our include files and starts the initialization of the application is our bootstrap.php file. The bootstrap.php file is responsible for including all code sources and creating our security check that tells the system the user has accessed the system through the "front door". For instance if the user tried to go directly to an included file (http://e-genda.net/mytimezones.php) then the user will receive a message telling him or her that they should not be where they are and to leave immediately. This allows the system to know if the inluded files are being accessed correctly or not.

How does this work?

• The bootstrap.php file defines a flag. This flag onces set tells the system the files are being accessed correctly.
• The bootstrap.php file is accessed only through the index2.php file (our "front door"). This means that the only way to correctly access the included files are through the index2.php file via loging into the system and following the system menus.

Further security is handled through Apache. When a user logs in a session is created on the server side and a session cookie is created on the user side. This session is only good until the user closes his/her browser or the termination of the session on the server side. This session can be checked through PHP and this check is the next line of security in the e-Genda system.

Since e-Genda uses many AJAX calls which directly access PHP functions security risks rise drastically. In every function there is a check to make sure that the file was included properly by the bootstrap and that the session accessing the function has been authenticated to a known user.

Finally, since the session is tied to a user's account we must put security checks in our SQL statements. For instance is a user is trying to access a function get_event( event_id ), there must be a check in the SQL statement that will cause the SQL statement to fail if the event tied to the event_id does not belong to the user trying to access the information.

The top 2 layers of security are the easiest and most effective to implement. The last layer of security in our SQL can become very tricky and easy to over look when developing Dynamic web applications.