Is this safe for providing JSONP?





<?php header('content-type: application/json');



$json = json_encode($data);



echo isset($_GET['callback'])

    ? "{$_GET['callback']}($json)"

    : $json;

Or should I for example filter the $_GET['callback'] variable so that it only contains a valid JavaScript function name? If so, what are valid JavaScript function names?

Or is not filtering that variable a bit of the point with JSONP?

Current solution: Blogged about my current solution at http://www.geekality.net/?p=1021 . In short, for now, I have the following code, which hopefully should be pretty safe:





<?php header('content-type: application/json; charset=utf-8');



function is_valid_callback($subject)

{

     $identifier_syntax

       = '/^[$_\p{L}][$_\p{L}\p{Mn}\p{Mc}\p{Nd}\p{Pc}\x{200C}\x{200D}]*+$/u';



     $reserved_words = array('break', 'do', 'instanceof', 'typeof', 'case',

       'else', 'new', 'var', 'catch', 'finally', 'return', 'void', 'continue', 

       'for', 'switch', 'while', 'debugger', 'function', 'this', 'with', 

       'default', 'if', 'throw', 'delete', 'in', 'try', 'class', 'enum', 

       'extends', 'super', 'const', 'export', 'import', 'implements', 'let', 

       'private', 'public', 'yield', 'interface', 'package', 'protected', 

       'static', 'null', 'true', 'false');



     return preg_match($identifier_syntax, $subject)

         && ! in_array(mb_strtolower($subject, 'UTF-8'), $reserved_words);

}



$data = array(1, 2, 3, 4, 5, 6, 7, 8, 9);

$json = json_encode($data);



# JSON if no callback

if( ! isset($_GET['callback']))

     exit( $json );



# JSONP if valid callback

if(is_valid_callback($_GET['callback']))

     exit( "{$_GET['callback']}($json)" );



# Otherwise, bad request

header('Status: 400 Bad Request', true, 400);

Source: Tips4all

Create Subdomains on the fly with .htaccess (PHP)

I am looking to create a system which on signup will create a subdomain on my website for the users account area.

Why is this Javascript much slower than its jQuery equivalent?

I have a HTML list of about 500 items and a "filter" box above it. I started by using jQuery to filter the list when I typed a letter (timing code added later): $('#filter').keyup( function() { var jqStart = (new Date).getTime(); var search = $(this).val().toLowerCase(); var $list = $('ul.ablist > li'); $list.each( function() { if ( $(this).text().toLowerCase().indexOf(search) === -1 ) $(this).hide(); else $(this).show(); } ); console.log('Time: ' + ((new Date).getTime() - jqStart)); } ); However, there was a couple of seconds delay after typing each letter (particularly the first letter). So I thought it may be slightly quicker if I used plain Javascript (I read recently that jQuery's each function is particularly slow). Here's my JS equivalent: document.getElementById('filter').addEventListener( 'keyup', function () { var jsStart = (new Date).getTime()...

Is it possible to have IF statement in an Echo statement in PHP

Thanks in advance. I did look at the other questions/answers that were similar and didn't find exactly what I was looking for. I'm trying to do this, am I on the right path? echo " <div id='tabs-".$match."'> <textarea id='".$match."' name='".$match."'>". if ($COLUMN_NAME === $match) { echo $FIELD_WITH_COLUMN_NAME; } else { } ."</textarea> <script type='text/javascript'> CKEDITOR.replace( '".$match."' ); </script> </div>"; I am getting the following error message in the browser: Parse error: syntax error, unexpected T_IF Please let me know if this is the right way to go about nesting an IF statement inside an echo. Thank you.

CCNA, CCNP, MCSA, CCNA Final Exam, All Answer Test Module With 100/100

Search This Blog