Tuesday, June 26, 2012

Handling Scripts and CSS in Yii Framework

Handling Scripts and CSS in Yii Framework

Yii provide CClientScript to manage the scripts and css files in Yii.

Registering Core scripts that comes with Yii

To register the core jquery library that comes with yii, use the following methods.

Yii::app()->clientScript->registerCoreScript( 'jquery.ui' );
//We need to pre-render the jquery.yiiactiveform.js on the view where we are going to place the AJAX functionality

The above statement register the Jquery library and jquery ui, if YII_DEBUG is false then yii will register minimized version of Jquery & Jquery UI library.

To register inline scripts and css files
Yii::app()->clientScript->registerScript('unique scriptname','js code',position)

Yii::app()->clientScript->registerCss('unique css','csscode','media=>print/handheld/screen')

Script Positions

CClientScript::POS_HEAD : the script is inserted in the head section right before the title element. .
CClientScript::POS_BEGIN : the script is inserted at the beginning of the body section.
CClientScript::POS_END : the script is inserted at the end of the body section.
CClientScript::POS_LOAD : the script is inserted in the window.onload() function.
CClientScript::POS_READY : the script is inserted in the jQuery's ready function.

so if you use,
Yii::app()->clientScript->registerScriptFile(Yii::app()->baseUrl . '/script/test.js',CClientScript::POS_END);
then the script will be inserted to the body section

To register external scripts and css files

Yii::app()->clientScript->registerCssFile($yourscript_asset. '/test.css');
Yii::app()->clientScript->registerScriptFile($yourscript_asset. '/test.js')

Publishing scripts to assets directory

Asset manager in brief

CAssetManager is a Web application component that manages private files (called assets) and makes them accessible by Web clients. It achieves this goal by copying assets to a Web-accessible directory and returns the corresponding URL for accessing them.
you can compress and minify and otherwise process your assets with the asset publishing system, and it makes it easier to host your JS and CSS on a CDN since it's separate from your codebase.With assets, a component can be used easily without worrying about what files to be copied to public directories and what their URLs are
Consider a scenario, if we have two scripts which is located in scripts/testscript, the directory has two files namely test.js and test.css. We are going to publish it to asset and then we consume that files from asset directory, here is the snippet
$yourscript_asset= Yii::app()->assetManager->publish(Yii::app()->basePath . '/scripts/testscript /');

//Register JS and CSS files        
Yii::app()->clientScript->registerCssFile($yourscript_asset. '/test.css');
Yii::app()->clientScript->registerScriptFile($yourscript_asset. '/test.js');


Load files from google server

Cleans all registered scripts before any script register

Cleans all registered scripts.

Prevent loading jquery files

Yii::app()->clientScript->scriptMap['jquery.js'] = false;
//or if more than one script to be prevent from registering

Avoiding scripts download on AJAX renderPartial request

Suppose we created a function to display the AJAX active form and its contents are returned by a call to a controller’s action that will partially render a view.
// Just before rendering the view that
// has our activeform
Yii::app()->clientScript->corePackages = array();
Now controller doesn't return script files.
It is very important that we set corePackages to array() instead of null, as setting it to null will make CClientScript to reload the packages.php file (located in framework/web/js/) and we won’t stop the duplication of the script.

Saturday, June 23, 2012

Joomla Security Fixes

Hosting security stuff

Turn off following settings in php.ini file

allow_url_fopen allows PHP's functions such as file_get_contents() and the include and require statements can retrieve data from remote locations like an FTP or http protocol and could lead to code injection vulnerabilities,

You should disable allow_url_fopen in the php.ini file:

; Disable allow_url_fopen for security reasons
allow_url_fopen = 'off'

The setting can also be disabled in apache's httpd.conf file:
# Disable allow_url_fopen for security reasons
php_flag  allow_url_fopen  off

If you are using shared hosting use my php.ini file

2. display_errors setting
It should be turned off in production environment to hide annoying error messages.instead of showing erro messages we log them into to log file.

;in php.ini file

log_errors =off

# Disable display_errors for security reasons
php_flag  display_errors  off
php_flag  log_errors  on

When magic_quotes are on, all ' (single-quote), " (double quote), \ (backslash) and NULs are escaped with a backslash automatically. This is to prevent all sorts of injection security issues.

if input data contains single or multiple quotes, data automatically escaped with slashes so multiply the problem by repeatedly re-escaping the escaped stuff and you end up with strings like
<a href=\"\\&quot;\\\\&quot;\\\\\\\\&quot;\\... !!

;in php.ini file

Joomla security stuff

1. Use latest Joomla security update
    Get latest joomla updates from here http://joomlacode.org/gf/project/joomla/frs/

2. All the sql injection takes place through the jos_users table , first off all change the databse prefix

    execute the following queries to change table prefix names

FROM   `information_schema`.`Tables` WHERE TABLE_SCHEMA='yourdatabasename';

Change the prefix name value in configuration.php file also
var $dbprefix = 'yourprefix_';

3.Use only secure third party plugins and keep them updated

4.Use secure username and password for administrators
use strongpasswordgenerator.com or some other tool to generate strong password

5.Use an SEF component that makes your Joomla more secure
use .htaccess files provided with joomla package (just rename htaccess.txt to .htaccess)

6.Write-protect your Joomla configuration file (make unwriteable)
set 444 permission to configuration.php

7.Delete Joomla templates and unnecessary files/folders that you do not use

Sunday, June 17, 2012

Fixing The CSRF token could not be verified

"The CSRF token could not be verified", if you get this message while using YII Framework. the issue can happen in
1.You are not using CHtml Form widget
2.You are not using CActiveFormWidget
3.You are using cusom ajax handlers

If you are using CHtml Form widget or CActiveForm widget the Yii Framework automatically validate CSRF token, if we using custom form or custom jquery ajax methods we should pass YII_CSRF_TOKEN to POST request, this may solve the above issue

$csrfToken = Yii::app()->request->csrfToken; // 
will return the csrf token associated with the context, you can now use that csr token to pass in jquery ajax functions

to check csrfvalidation enabled in application use the following method to get status

Getting CSRF Token from javascript

open source projects built with yii

List of open source projects built with yii, this is the partial list, if you know others let me know.

 Hamster  Forum software  https://github.com/samdark/hamster
 Celestic Open source project manager http://qbit.com.mx/labs/celestic/
Zurmo CRM
Customer Relationship Management – CRM
X2 Engine
Customer Relationship Management – CRM
Bug tracker application
Question and answer site like stackoverflow
Flexica CMS
Content Management System
Phundament CMS
Content Management System

Content Management System
Content Management System

Web 2.0 CMS

Content Management System

Content Management System

Content Management System


blog web application
Simple Project Manager / Bug Tracker

Wiki application/module
Open Real Estate Used to built websites of real estate agencies and realtors. http://monoray.net/products/6-open-real-estate

Saturday, August 20, 2011

Using Javascript libraries via Google and Microsoft CDN

Using Google/Microsoft hosted libraries in your application to speed up your application

Google offers a CDN for: