I did not want to pass this information over the web because I
think it is quite relevant for application security (even if ACL is
used in each component) so now while building my normal page I also
build a list of possible ajax calls which might be fired by the
page. Each of these calls is stored in a session, together with a
code. Only this code gets transmitted over the web. On each normal
page load the session namespace I am using for this gets deleted
which makes calls to old things impossible. In a fully AJAX
application there would have to be a different approach to deleting
old codes from the session because then there wouldn't be "normal
page loads". In my case I only have a few page specific ajax
elements, so for me this works.
Any thoughts on this approach?
Sounds good to me. For a production site that uses a moderate amount
of lookups and AJAX-related functionality I simply use a single
controller AjaxController.php that contains concrete methods for each
of my calls. Most of these are non-secure functionality so I don't
have any real security measures other than sanitising input and being
careful escaping my output (a Tidy plugin to Zend_View is a handy
addition).
To return output I use Zend_View snippets but nothing is JSON
encoded. I prefer enabling mod_deflate on the server side and letting
that do the heavy lifting for compression.
Mootools (www.mootools.net) is a beautifully written and quick AJAX-
enabled javascript framework (>24Kb for the entire library if you
leave off the non-essentials) and seems to fit the ZF-like approach
of simplicity and grace.
--
Simon Mundy | Director | PEPTOLAB
""" " "" """""" "" "" """"""" " "" """"" " """"" " """""" "" "
202/258 Flinders Lane | Melbourne | Victoria | Australia | 3000
Voice +61 (0) 3 9654 4324 | Mobile 0438 046 061 | Fax +61 (0) 3 9654
4124
http://www.peptolab.com
