Thought Delimited

NOT doing the tip that I'm about to share has bitten me twice now, so I'm putting this out there as a reminder to myself as well.

The jQuery live() function is an extremely useful function to have when you're adding or removing page elements that have jQuery event handlers assigned to them because using live() ensures that any new element that matches the live() selector gets that event handler automatically.

It's easy to remember to use live() when you're writing your own code that adds and removes DOM elements, but when you're using a plugin that does the adding and removing behind the scenes, you might not think about it.  In one of my applications, I apply the jQuery DataTables plugin to my HTML tables so that the users can sort and filter the data in the tables.  Included in each row are hyperlinks that trigger certain actions via JavaScript/jQuery. 

When I originally assigned the event handlers to these links, I simply used the "click" event handler on them.  The links worked perfectly if they were displayed as part of the initial page load, but any links belonging to rows that appeared later (as the result of a sort, filter, or pagination event in the plugin) did not work because the link elements were actually added by the plugin, and hence did not have the event handlers assigned to them.

In short, if you're using one of the many plugins to enhance HTML tables, and you have elements in each row that have jQuery events assigned to them, make sure you use the live() function to assign those event handlers.

I haven't been blogging much lately, but that's partly because I was on vacation for a week and partly because I was working on this:

http://www.thoughtdelimited.org/android/notetoself/

It's a fairly simple app built with the standard Android API, but it meets MY need for a note/reminder list that is right there on my Android home screen and lets me see all of my reminders without having to go into the application. And being able to dictate my reminder (I put in the dedicated dictation button because my Swype keyboard doesn't have a key for dictation like the stock Android keyboard does) makes it easy to add a quick note if you can tolerate a mistranslation here or there.

This version is free, so if you have an Android device running 2.1 or higher, feel free to check it out.

Right now, there is a small window of opportunity for Android phone owners to acquire the newest "beta" (honestly, it's about as "beta" as Gmail used to be) version of the Swype virtual keyboard app.  It's only available for a few days for folks willing to register for the "beta" program (which is free) at http://beta.swype.com/.  You can't download it from the Android Market, so once the registration system is closed again you'll have to hope someone hacks the app to make it available (which admittedly happened with the initial beta), or buy one of the Android phones that comes with Swype pre-installed (that is Swype's "official" means of distribution).

So as I said already, Swype is a virtual keyboard app.  Once you install it, you can then use it instead of whatever virtual keyboard came installed and set as the default (ah, the freedom to choose...). What's special about it?  Instead of tapping each key (which you can still do if you want), you swipe/drag your finger across the keyboard from key to key to spell out the word you want to input. Even though you cross over numerous unwanted letters and numbers as you move your finger, it still somehow detects which of the keys you cross over with your fingers are the intended letters (maybe somehow detecting the briefest of pauses or the slight change in direction as you start moving to the next one). If it's not sure what you meant to spell, a list of possible choices pops up and you can tap the correct choice.

You lift your finger to complete a word, and if you start to trace out a new word it adds a space after the previous word automatically. There are also a number of special gestures, such as dragging your finger above the keyboard to capitalize the last letter you selected, and swirling your finger over a letter to enter the letter twice. You can see it in action in the videos on the Swype website.

I've been using Swype for quite a while, and I'm can compose text on my Droid a LOT faster with Swype than I could with the stock Android OR iPod Touch keyboard, and it works for me despite the fact that I sometimes hesitate or "take a wrong turn" because I've forgotten where on the keyboard the next letter is.

I strongly recommend that every Android owner take the opportunity presented by this beta offering and try it out for themselves.

A cross-site request forgery (CSRF) occurs when a hacker takes advantage of the fact that users don't always log out of the websites and web applications they visit. The hacker creates a URL or a form that passes valid data to a valid destination on the target website and hopes that a user who is still authenticated to that website clicks that malicious URL or form. If such a user falls into the trap, the target website will process the request just as if the user had executed the action within the target website under normal circumstances.

One common method for preventing CSRF attacks is to generate a unique value every time a user visits a form on the website and store that value both within the user's session and within the form itself as a hidden field. When the form is submitted, the value in the form is checked against the value stored within the user's session, and if they don't match the form submission isn't processed. The next time the user encounters a form (even if it's the same form), a new unique value is generated. Without a way of knowing what that unique value is at any given time, the hacker cannot build a form or construct a URL that simulates a legitimate request, and the attack fails.

Rather than have to remember to create these unique values and include them within every form (or every URL that executed some sort of data operation), and then check the validity of the submitted value on each processing page, I wanted to see if there was a way I could build CSRF security into the structure of my Model-Glue applications.

Read more...