It’s just data

Sajax Still UnSafe

SAJAX Version 0.10: PHP: Support for POST.  This is apparently “per [my] suggestions”. [Via Tim Bray]

Looking at the code, SAJAX Version 0.10 now supports GET and POST interchangeably.  While this does have the desired affect of allowing requests of virtually any size, it does nothing to prevent unsafe requests from being made via HTTP GET.  Nor does it address any of the encoding issues.

Sam Slams SAJAX

“AJAX” is a convenient label for the architecture of applications like Google Maps and Visual Net from Antarctica Systems (which I founded). There’s nothing wrong with the idea. But Sam Ruby spots SAJAX, one of the first toolkits, going horribly off...

Excerpt from ongoing at

Is SAJAX needed?

Sam Ruby says Sajax is still unsafe While I haven’t looked at the safety aspects of it, I have to ask if it’s needed at all? When Gmail launched I’d already been interested in this approach for a while, after...... [more]

Trackback from Vidar Hokstad's random musings


Hey Sam, good to see you’re still watching these things, but I’d be very interested in hearing how you would actually go about preventing unsafe requests. (I’ve been working on a related handler, [link] and I don’t want to upset granny).

Posted by Danny at

Danny: pymplex looks fine.  The person coding the server side of the application is well aware of the type of the request, and can act accordingly.  Furthermore, post methods (for example) can’t be invoked by simply following a link.

From my point of view, if the person coding the server application chooses to update a counter or take other actions in response to a get request, then that is a choice that they take responsibility for.

Posted by Sam Ruby at

Marvellous, thanks Sam, your scrutiny is much appreciated.

Posted by Danny at

Well, first of all I thank you about all these post about AJaX (I love the ‘a’ lcased) and how to improve it.

I’ve been designing a barebone class to make the developer work ‘simplier’, but giving as well complete freedom on how to implement the serverside logic.

So, the class is liteAJaX, and it’s still far than being complete. At this time, as said in the link, isn’t more than a wrapper around the XMLHTTPRequest functions.

I will be very interested to read a comment from you (and anyone that could have something to say) on how to improve and keep liteAJaX useful.


Posted by Folletto Malefico at

Simple AJAX Code-Kit (SACK)

In this seemingly unlimited stream of AJAX articles and frameworks, let me present you to SACK. SACK is a light-weight AJAX API, written by Gregory Wild-Smith. Gregory writes: "I’ve seen AJAX solutions like SAJAX or Dojo, and they haven’t really...

Excerpt from Warping it up! at

Scrubbing bubbles and other cures for the common thin client application

My professional has a strong affinity with jargon and acronymns; so, it came as no surprise to me when “AJAX” was coined not too long ago by Adaptive Path. However, in the end I’m all the more convinced that AJAX, as with most technologies in the...

Excerpt from Craig's Musings at

Why don’t you guys stop using classes and functions made by others? Can’t you just do it by yourself? Fuck SAJAX and fuck other public classes, this type of a shit ain’t for real programmers, if you think you got g’s you should write shit yourself

Posted by Dave at

Um, cuz we’re lazy and prefer to reuse code rather than reinvent the wheel?

One good toolkit is better than a dozen half-assed, undocumented attempts at classes...

Posted by Lazy Programmer at

Add your comment