Using mysql_real_escape_string stops malicious inputs breaking SQL queries. The quote ‘ is a reserved character in SQL. When it appears as part of a parameter it can break or change the meaning of a query. The mysql_real_escape_string function escapes the quote ‘ so it becomes \’ SQL will not treat the quote as a reserved character and it can safely be used in a parameter usually to insert a quote into the DB.
If I enter this into a form field on a web site:
<script>alert(”Your site executed my code. Thanks”);</script>
and the next page displays it without applying htmlentities, the browser will execute it and pop open an alert message box.
The consequences are worse if the input is stored and displayed again to another user. In this example that user would also see the alert message box pop open. The malicious script has access to private data that the browser stores for that user.
<script>alert("Your site executed my code");</script>
The intended audience is the mass of PHP developers out there that use LAMP ( Linux, Apache, MySQL and PHP) and want an overview of the .NET thing , anyone who has an interest in .NET but no knowledge might find this post of usefull.
My own journey into web development began with PHP using Apache server software running on a Linux operating system. To me .NET seemed a vague accronym, was it a langauge, a sever or a frame work. However after using .NET for some real projects the mystery has gone and actually it turns out that its quite good with amazing free development tools.
.NET is a framework of code that can can be used to compile desktop or web applications. ASP.NET is the web part of this and is the upgrade to classic asp ( active server pages ).
Classic asp worked much like PHP, you would write an asp script and post it on the server with the extension .asp. The server would be a windows server running IIS ( Internet Information Server), the equivalent of Apache. However, confusingly, you would write your asp pages using the language visual basic, compare that to writing PHP pages using the langauge PHP.
ASP.NET, the latest technology, allows you to write .NET pages using either visual basic or the new language C# ( c-sharp ), whichever you choose your scripts will have the extension .aspx but still run on IIS.
Microsoft have structured the .NET framework so that code written in different languages compiles down to a CLR ( Common Language Runtime ). It is a step above assembly and produces ‘managed code’. When you deploy a .NET site you can supply uncompiled .aspx scripts to the server or compile the site offline and put .dll files ( dynamic link libraries ) onto the server. This allows you to deploy pre-compiled web apps to clients that they would find hard to reverse engineer.
Personally I prefer to develop using C# because it has a similar syntax to all the other big langauges such as C, C++, Java, PHP and Actionscript. VB on the other hand seems out there on its own, curly braces are generally out in favour of IF THEN and END IF kind of statements giving rise to the freaky WHILE and WEND urghh! Sorry VB lovers.
You pretty much have to develop your site on a windows machine and deploy it to a windows server. There is a framework called mono that lets you serve .NET stuff from Linux but its not something I have had any need to look into. You could also write all your .NET as text files on a mac ( or windows ) but you would miss out on all the features of Visual Studio, Microsofts mega IDE.
The Visual Studio IDE has an abundance of great features, particularily the excellent intellisense. When you are writing code you get autocomplete for methods in the .NET framework but even better you get intellisense for code that you wrote yourself. If you declare a variable you start to get intellisense for it after the next compile. One of my favourite features is refactoring. You can highlight a big block of random code and instantly turn it into a new method, the IDE automatically looks through the code, figures out all the parameters the method will need and creates the new method.
ASP.NET is based around writing scripts for the web server, mixing code with html and applying CSS for styling. However much like Coldfusion and Flex, .NET works using a tag based syntax to position and place controls onto the page. The tag based markup is generally mixed with html and all C# is kept seperatly at the head of the file or preferably in a seperate code behind file of the same name but with an aspx.cs extension.
For each page Visual Studio provides a design view ( showing a graphical representation of how the page will look), a code view of the html and tag based mark-up and also the code behind showing raw C#.
The general process is drag and arrange some controls into the page using the design view. Then write methods in the C# code behind that will get fired by events generated by the controls.
The whole system is event based. Apparently this was to make ASP.NET easy to understand for desktop developers who were used to dragging windows controls and hooking them up to event handlers.
As a page loads, or is POSTed back to as the result of a click a whole series of events ranging from the web page being loaded to a row in a grid view about to get the data for a particular cell are fired. The event based model takes a bit of getting used to. At times it seems like the clearest simplest methodology there could be, at other times it can leave you frustrated and stuck.
The best part about developing web sites with .NET is that you can test them locally with the total confidence that a remote server will behave in exactly the same way as your PC. When you press control-F5 in Visual Studio it fires up an instance of a .NET server and pops open your website in the browser of your choice. Super convenient. Even better, if you run MS_SQL on your development machine you get full working DB functionality also.
1. You have a windows PC
2. You download and install Visual Web Developer Express 2008.
3.You download and install MS_SQL Express 2008.
4.You download and install SQL Server Management Studio Express.
5.You Create a new DB table with some test data.
6.You open Visual Studio and choose create new web site.
7.You Drag some controls onto a page.
8.You databind some control to a DB table.
9. You test your page by pressing cntrl-F5.
Yes the Express Editions are free! The main limitation to Visual Studio Express 2008 is that you can’t extend it with third party controls. You can only use the in built ones that come with VS, fortunately there are heaps and you can code anything you like anyway. The express editions come as different applications such as Visual C++ Express, Visual C# Express and Visual Web Developer Express. The full Visual Studio has all of these wrapped into one app but thats hardly a problem.
The main limitation to SQL Express and Management Studio is.. mmh, well im not sure but probably its limited to 4G in size or cant be used in a cluster or something like that.
To get to the downloads visit
Choose to download ‘Visual Web Developer 2008 Express Edition’. Next download ‘SQL Server 2008 Express’ and also get SQL management Studio Express, which might be harder to find but there is a link to it at the bottom of the SQL Server Express download page.
When you install SQL Server Express you will have to answer some set up questions. The main ones are ‘allow user instances’ and allow mixed mode authentication’. Allow user instances lets each user on the PC have their own instance of each DB. One user could fill their DB with stuff while the other user sees an empty DB. Not a big concern for me either way. WIndows authentication will log a user into the DB if they are logged into windows whilst mixed mode lets a user log in by supplying a username and password. In the real world DB servers generally use mixed mode and expext a username and password, so I like to choose mixed mode.
Start up SQL Server Management Studio Express. This application lets you control a SQL Server in the same way PHPMyAdmin lets you control a MySQL DB, the main difference is that it is a desktop app. You can connect to any local or remote SQL Server with Management Studio Express as long as you have permissions and a username and password.
To set up Management Studio Express to connect to your local SQL Server Express instance you can use Windows Authentication, this logs you in as the user that is logged into windows. When the app opens you will likely be presented with a connect dialogue where you will have to locate your local SQL Server Express and connect to it. If it is not already shown choose browse for new from the drop down. The SQL Express Server is usually named YOURCOMPUTERNAME\SQLEXPRESS. Click to connect with windows authentication.
Once connected the side panel will show a view of the whole Server. Right Click on the Databases folder and select New Database. In the panel that opens fill in DB name as ‘TestDataBase’ and click OK. There is a short delay and then the ‘TestDataBase’ appears in the DataBases folder.
Expand the ‘TestDataBase’, right click the ‘Tables’ folder and choose add new table. A blank database table design view opens. For the first Column Name enter Name and choose varchar(50) for the type. Choose Age for the second column and choose type Int.
When you have completed the table design right click the tab at the top and choose save as. You will be prompted for a name. Call the table People.
Right click on the newly created People table and choose Open Table. You will see the empty rows in the table. You can start to enter some test data into each row by clicking and entering data. Once you have 4 or 5 rows filled in then that is the test data complete.
And create a new web site. Thats File->New Web Site. A pop-up appears. Select new ASP.NET web site and Language C#. Choose location File System and either choose a location or go with the default. click OK.
A new folder is created at the specified location containing all of the files required for your web site. A start page is created for your site called ‘Default.aspx’ and opens in the IDE. Microsoft like to start things with Capital letters.
Switch to the design view for Default.aspx by clicking the ‘design’ button near the bottom of the screen. Open the toolbox, if it is not open already, by choosing View->toolbox. Browse down to the data tab then locate the GridView Control. Drag it onto the screen.
There is a small tab to the top right of the GridView control. If you click it the GridView Tasks panel opens to the right of the control. Open the ‘Choose Data Source’ drop down and click on ‘new data source..’. A Data Source Configuration Wizard opens asking ‘where will the application get data from’ showing a list of possible data sources. Choose Database and click OK for the default name SqlDataSource1.
The next step asks ‘Which data connection should your application use to connect to the database?’. Click new connection. In the Add Connection dialogue select your SQL Server Express from the server drop down list. For ‘Select or enter a database name’ choose the ‘TestDataBase’ created earlier. Click to test the connection and if it is ok click OK. You should now be able to preview the connection string that the data source will use.
The next step of the wizard prompts you to store the connection string in the web.config file. A web.config file is stored by each .NET web site and contains settings specific to that site. Click Next to store the connection in the web.config file. You can browse the web.config file later and find the entry for the connection string.
Next you will be asked ‘How would you like to retreive data from your database?’.
Click on the ‘Specify Columns from a table or view radio button and check the * column to return all the data in the table. The equivalent Select statement is shown. The final step lets you test the query to see that the data is returned correctly.
When you are returned to the design view you will see that the GridView now shows headings for each column selected from the DB table.
When you test the web site a bubble pops up informing you that the ASP.NET development server has started running and gives you the URL of the local server. Internet Explorer ( you can change target browser ) fires up opening the Default.aspx page. If everything is in order the GridView will display the data from the People DB table. Hurrah!
On my machine the page above has a URL http://localhost:2073/quickstart/Default.aspx ,this is only valid when the development server is actually running. If you are a Flash developer developing a swf that requires data from a backend database, you can do everything locally just set URLs to point at pages on the local development server that could serve the data to your SWF.
I was thinking about how great it would be to have a full web page that looks just like a normal html page but is infact a full browser 3D flash page. The aim would be to briefly trick an html/css purist before unleashing some 3D trickery. Anyway I downloaded the Five3D library and expanded one of the examples to recreate my blog in 3D.
Check out the result here.
The page looks and scales like normal html, but doesn’t reveal it’s 3Dness until you click on it. I expect stuff like this will probably explode onto the web with the next few versions of the flash player. Google’s new ability to index swf’s in a human clicking style might just satisfy the SEO slaves.
Unfortunately at the moment the performance drops off rapidly as more text is added. For that reason I haven’t put too much onto the page. If you play with the code you can uncomment the next few paragraphs and see how it performs. In his interview with FWA, Mathieu Badimon says that he thinks Flash Player10 will offer some of the same functionality as Five3D. So this should give the performance a boost.
You will need the Five3D classes in your classpath to compile it of course, get them from the Five3D site. For flash to always fill the browser I refered to these articles, at adobe and here (AS2 but gives html publish settings).
To get your swf to always fill the browser you need these html publish settings.
Set dimensions, width and height to 100%.
Set Scale to noscale
Alignment: Set horizontal to left. Set vertical to top
The code wont teach you anything more about five3D than the basic tutorials do. You will see that the code laboriously places everything sentence by sentence, shape by shape.
If anybody writes code to process generalized html and display it in 3D, please let me know!! Adobe???
Or get everything here.]]>
In AS2 if you wanted to access the properties of an instance on the stage from code, you had to ensure that the “export for actionscript” checkbox was selected in the linkage properties for that MovieClip in the library. If it wasnt your code wouldn’t see the instance and would fail silently. This was pretty confusing at first and even once you got used to it there would be times that it would still catch you out.
In AS3 you do not need to select the “export for actionscript” checkbox to access the properties of an instance on the stage. Any MovieClip instance you drag onto the stage at design time becomes a property of the document class and can be accessed from code as long as it has an instance name. This is only true when the “Automatically declare stage instances” option is checked in Publish Settings - Actionscript 3.0 Settings, which it is by default.
If you do select “export for actionscript” for a clip in the library, like this.
When you click OK you will be greeted with the following slightly alarming pop-up message.
ActionScript Class Warning
A definition for this class could not be found in the classpath, so one will be automatically generated in the SWF file upon export.
This is actually nothing to worry about but may induce mild panic, you just click OK to continue and your swf still works fine. What the message is saying is that you are creating a new type, in other words a new class.
The MovieClip you have created in the library extends the definition of the flash MovieClip and adds extra features to it, at this point just the graphics you have drawn in it. The message is complaining that this extension of MoviClip doesn’t have a definition in code, there is not an .as file for it. However it lets you off lightly and generates the code inside the swf ( no .as files ) at compile time for your new type.
In AS3 “export for actionscript” should be selected when you want to add a MovieClip to the stage at runtime from actionscript. The syntax for doing this in AS3 with a MovieClip called Square in the library ( with export for actionscript selected ) looks like this.
In the first line an instance of the new type Square is created and named mySquare. At this point mySquare doesnt exist on the display list ( so cant be seen on the stage ) it only exists as a variable in actionscript. The next two lines set some of the properties of the mySquare variable, in this case position. Then finally with the addChild command I hook the mySquare MovieClip variable onto the display list. mySquare now exists as a variable in actionscript and is referenced and displayed on the stage.
In AS2 it was easy to think of MovieClips as things on the stage that your code could reference but with AS3 it becomes clear that a MovieClip is actually a type just as String or Number are.
In the case above Square extends MovieClip. In purely Object Oriented terms this means that if I create an instance of Square it will have all the methods and properties of a MovieClip such as mySquare.x or mySquare.visible plus any extra I add to it. However so far I havent provided code for any extra methods hence the ActionScript Class Warning when the clip is created in the library. If I wanted to add extra methods to Square I could do so by adding a new .as file called Square.as if I wrote the .as before creating the clip in the library I wouldnt get the warning.
The output now traces “hello”. As well as using the standard MovieClip methods and properties mySquare can also call the new method sayHello because it is of type Square and Square extends MovieClip.
One last point, notice that this time I have declared mySquare as type MovieClip and before I declared it as type Square. Either could be used, this duality of type is what is known as polymorphism in Object Oriented speak.
Hope that is of use to somebody!]]>
First create a fla. You can name this whatever you like. Maybe myFirstApp.fla. At this point you could start writing code directly into a timeline frame however best practice is to define a document class.
The document class can be specified by entering the name of a class into the property panel for the document. This is the same place where you would specify the size of your swf. Think of a name for your document class, maybe: myFirstApp. The document class doesnt have to have the same name as your main fla there is no link between them.
By typing myFirstApp into the property panel you are telling flash to create an instance of the myFirstApp class when the fla runs.
When compiling your fla flash will go and look for the code for the myfirstApp class. It will look for a file called myFirstApp.as by searching the directory the fla is in or in the directories specified under classpath from preferences.
The next step is to create the myFirstApp.as file. This just a text file with the extension changed to .as. Place the file in the same directory as your fla.
Contents of myFirstApp.as
The package tag places the myFirstApp class into the root package. Which means this class wont be stored in a subfolder just in the same directory as the fla.
The myFirstApp class extends Sprite. This means that the document class as well as having any further methods and propertys that you define will also have all the methods and properties of a Sprite. The import flash.display.Sprite statement lets the flash compiler know where to look for the definition of Sprite at compile time.
Note that the myFirstApp.as class should only contain a class called myFirstApp or you will get errors.
The document class unlike other classes must extend Sprite ( or some other display class ) because the document class automatically represents the swf stage. Any movieclips instances you name and place on the stage at author time become properties of the document class and can be accessed by name from actionscript inside the class.
This part defines the constructor for the myFirstApp class. The constructor function for a class is a function that has the same name as the class and is called whenever an instance of the class is created. For the document class an instance is created when the swf runs. This means that the constructor is the entry point for our application and the trace statement is the first line of code to be executed at runtime. The creators of flash have borrowed these concepts from the java world.
And thats the basic set up!]]>
Im thinking about updating datafake since it has had the same flash content on it for the last 2 years, currently an AS2 jetsetwilly clone and some other knicknacks.
Am thinking that i would like put up some AS3 thing that will let people litter the site with text, and also make it look nice.]]>