Handling Scripts and CSS in Yii Framework

Yii provide CClientScript to manage the scripts and css files in Yii.

Registering Core scripts that comes with Yii

To register the core jquery library that comes with yii, use the following methods.

Yii::app()->clientScript->registerCoreScript('jquery');
Yii::app()->clientScript->registerCoreScript( 'jquery.ui' );
//We need to pre-render the jquery.yiiactiveform.js on the view where we are going to place the AJAX functionality
Yii::app()->clientScript->registerCoreScript('yiiactiveform');

The above statement register the Jquery library and jquery ui, if YII_DEBUG is false then yii will register minimized version of Jquery & Jquery UI library.

To register inline scripts and css files

Yii::app()->clientScript->registerScript('unique scriptname','js code',position)

Yii::app()->clientScript->registerCss('unique css','csscode','media=>print/handheld/screen')

Script Positions

CClientScript::POS_HEAD : the script is inserted in the head section right before the title element. .
CClientScript::POS_BEGIN : the script is inserted at the beginning of the body section.
CClientScript::POS_END : the script is inserted at the end of the body section.
CClientScript::POS_LOAD : the script is inserted in the window.onload() function.
CClientScript::POS_READY : the script is inserted in the jQuery's ready function.

so if you use,

Yii::app()->clientScript->registerScriptFile(Yii::app()->baseUrl . '/script/test.js',CClientScript::POS_END);

then the script will be inserted to the body section

To register external scripts and css files

Yii::app()->clientScript->registerCssFile($yourscript_asset. '/test.css');
Yii::app()->clientScript->registerScriptFile($yourscript_asset. '/test.js')

Publishing scripts to assets directory

Asset manager in brief

CAssetManager is a Web application component that manages private files (called assets) and makes them accessible by Web clients. It achieves this goal by copying assets to a Web-accessible directory and returns the corresponding URL for accessing them.
you can compress and minify and otherwise process your assets with the asset publishing system, and it makes it easier to host your JS and CSS on a CDN since it's separate from your codebase.With assets, a component can be used easily without worrying about what files to be copied to public directories and what their URLs are
Consider a scenario, if we have two scripts which is located in scripts/testscript, the directory has two files namely test.js and test.css. We are going to publish it to asset and then we consume that files from asset directory, here is the snippet

$yourscript_asset= Yii::app()->assetManager->publish(Yii::app()->basePath . '/scripts/testscript /');

//Register JS and CSS files        
Yii::app()->clientScript->registerCssFile($yourscript_asset. '/test.css');
Yii::app()->clientScript->registerScriptFile($yourscript_asset. '/test.js');

Tips

Load files from google server

Cleans all registered scripts before any script register

Cleans all registered scripts.

Yii::app()->getClientScript()->reset();

Prevent loading jquery files

Yii::app()->clientScript->scriptMap['jquery.js'] = false;
//or if more than one script to be prevent from registering
$cs=Yii::app()->clientScript;
$cs->scriptMap=array(
'jquery.js'=>false,
'jquery.ajaxqueue.js'=>false,
'jquery.metadata.js'=>false,
);

Avoiding scripts download on AJAX renderPartial request

Suppose we created a function to display the AJAX active form and its contents are returned by a call to a controller’s action that will partially render a view.

// Just before rendering the view that
// has our activeform
Yii::app()->clientScript->corePackages = array();

Now controller doesn't return script files.
It is very important that we set corePackages to array() instead of null, as setting it to null will make CClientScript to reload the packages.php file (located in framework/web/js/) and we won’t stop the duplication of the script.

Joomla Security Fixes

Hosting security stuff

Turn off following settings in php.ini file



1.allow_url_fopen
allow_url_fopen allows PHP's functions such as file_get_contents() and the include and require statements can retrieve data from remote locations like an FTP or http protocol and could lead to code injection vulnerabilities,

You should disable allow_url_fopen in the php.ini file:

; Disable allow_url_fopen for security reasons
allow_url_fopen = 'off'

The setting can also be disabled in apache's httpd.conf file:
# Disable allow_url_fopen for security reasons
php_flag  allow_url_fopen  off

If you are using shared hosting use my php.ini file


2. display_errors setting
It should be turned off in production environment to hide annoying error messages.instead of showing erro messages we log them into to log file.

;in php.ini file
display_errors=off

log_errors =off

# Disable display_errors for security reasons
php_flag  display_errors  off
php_flag  log_errors  on


3.magic_quotes_gpc
When magic_quotes are on, all ' (single-quote), " (double quote), \ (backslash) and NULs are escaped with a backslash automatically. This is to prevent all sorts of injection security issues.

if input data contains single or multiple quotes, data automatically escaped with slashes so multiply the problem by repeatedly re-escaping the escaped stuff and you end up with strings like

<a href=\"\\&quot;\\\\&quot;\\\\\\\\&quot;\\... !!

;in php.ini file
magic_quotes_gpc=off

Joomla security stuff

1. Use latest Joomla security update
    Get latest joomla updates from here http://joomlacode.org/gf/project/joomla/frs/

2. All the sql injection takes place through the jos_users table , first off all change the databse prefix

    execute the following queries to change table prefix names

SELECT CONCAT('RENAME TABLE ', GROUP_CONCAT('`', TABLE_SCHEMA, '`.`', TABLE_NAME, '` TO `', TABLE_SCHEMA, '`.`yourprefix_', TABLE_NAME, '`')) AS q
FROM   `information_schema`.`Tables` WHERE TABLE_SCHEMA='yourdatabasename';

Change the prefix name value in configuration.php file also
var $dbprefix = 'yourprefix_';


3.Use only secure third party plugins and keep them updated

4.Use secure username and password for administrators
use strongpasswordgenerator.com or some other tool to generate strong password

5.Use an SEF component that makes your Joomla more secure
use .htaccess files provided with joomla package (just rename htaccess.txt to .htaccess)


6.Write-protect your Joomla configuration file (make unwriteable)
set 444 permission to configuration.php


7.Delete Joomla templates and unnecessary files/folders that you do not use

Yii Resources

List of Yii Resources

• http://www.yiiframework.com/resources/
• http://www.yiiframework.com/wiki
• http://www.yiiframework.com/forum
• http://code.google.com/p/yiiplayground/
• stackoverflow.com/tags/yii
• www.larryullman.com/tag/yii/
• http://www.eha.ee/labs/yiiplay/index.php/en
• http://sudwebdesign.com/category/blog/yii
• http://yiianswers.com/
• http://con.cept.me/blog/tag/yii
• http://vadimg.com/
• http://www.ramirezcobos.com/
• http://tipstank.com/tag/yii/
• http://learnyii.blogspot.in/
• http://www.prettyscripts.com/framework/yii/
• http://danaluther.blogspot.in/
• http://programmersnotes.info/tag/yii/
• http://sudwebdesign.com/category/blog/yii
• http://www.faceyspacey.com/resources/technical/yii
• http://www.kevinkorb.com/

Note: (links mentioned here in no particular order)

Fixing The CSRF token could not be verified

"The CSRF token could not be verified", if you get this message while using YII Framework. the issue can happen in

1.You are not using CHtml Form widget
2.You are not using CActiveFormWidget
3.You are using cusom ajax handlers

If you are using CHtml Form widget or CActiveForm widget the Yii Framework automatically validate CSRF token, if we using custom form or custom jquery ajax methods we should pass YII_CSRF_TOKEN to POST request, this may solve the above issue

$csrfToken = Yii::app()->request->csrfToken; // 

will return the csrf token associated with the context, you can now use that csr token to pass in jquery ajax functions

to check csrfvalidation enabled in application use the following method to get status

if(Yii::app()->request->enableCsrfValidation) 

Getting CSRF Token from javascript

YII_CSRF_TOKEN=$('input[name="YII_CSRF_TOKEN"]').val();

open source projects built with yii

List of open source projects built with yii, this is the partial list, if you know others let me know.

Project	Description	Link
Hamster	Forum software	https://github.com/samdark/hamster
Celestic	Open source project manager	http://qbit.com.mx/labs/celestic/
Zurmo CRM	Customer Relationship Management – CRM	www.zurmo.org
X2 Engine	Customer Relationship Management – CRM	http://www.x2engine.com/
Bugitor	Bug tracker application	https://bitbucket.org/jacmoe/bugitor
Topics	Question and answer site like stackoverflow	http://topics.jacmoe.dk/
Flexica CMS	Content Management System	http://www.flexicacms.com/
Phundament CMS	Content Management System	http://www.phundament.com/
Yii CMS - GXC-CMS	Content Management System	http://gxccms.com/
yay-cms	Content Management System	http://code.google.com/p/yay-cms/
Web 2.0 CMS	Content Management System	http://code.google.com/p/web3cms/
Yii-CMS	Content Management System	https://github.com/ostapetc/Yii-CMS
yiiframework-cms	Content Management System	https://github.com/VinceG/yiiframework-cms
YiiBackbone	blog web application	https://github.com/VinceG/YiiBackbone
yii-tracker	Simple Project Manager / Bug Tracker	http://code.google.com/p/yii-tracker/
51pm	elegant project management tool	http://code.google.com/p/51pm
Yeeki	Wiki application/module	https://github.com/samdark/Yeeki
Open Real Estate	Used to built websites of real estate agencies and realtors.	http://monoray.net/products/6-open-real-estate