About the Reviewers Md. Mahmud Ahsan graduated in

About the Reviewers Md. Mahmud Ahsan graduated in Computer Science & Engineering from the International Islamic University Chittagong (IIUC) in Bangladesh. He is a Zend Certified Engineer and expert in developing web applications, Facebook applications, Mashup applications, and iPhone-native applications. Besides his full time job, he blogs at http://thinkdiff.net and writes articles on different technologies, especially Facebook applications development. He lives in Bangladesh with his wife Jinat. Currently, Mahmud works as a Software Engineer (remote developer) in i2we inc. (867 Avalon, Lafayette, CA) where he develops social web applications using PHP, MySQL, JavaScript, Zend Framework, CodeIgniter, jQuery, and Mashup APIs. He also leads various small to medium level projects. Mahmud is also an Indie iPhone application developer and publishes his own applications at http://ithinkdiff.net. He was a technical reviewer of the Zend Framework 1.8 Web Application Development book by Packt Publishing. I m very grateful to my father who bought a computer for me in 2001. Since then, I have loved programming and working with various technologies.

About the Author Vijay Joshi is a programmer

About the Author Vijay Joshi is a programmer with over six years of experience on various platforms. He discovered his passion for open source four years ago when he started playing with PHP on a hobby project after completing his Masters in Computer Applications. Vijay is a professional web developer now and prefers writing code ONLY in open source (but that does not always happen, unfortunately!). He switches hats as needed he is full-time lead programmer at Philogy, independent consultant for a few selected companies where he advises them on a variety of Internet-based initiatives, and still remains an active blogger at http://vijayjoshi.org. Besides his work, he enjoys reading, trekking, and sometimes getting obsessed with fitness. Writing a book is a long and complicated task which requires the support and coordination of many people. I am thankful to the entire team at Packt, especially Michelle, Chaitanya, and Neha for being so cooperative and patient with me. This book is dedicated to all open source developers, contributors, and enthusiasts around the world who have made PHP and jQuery the leading programming tools in their niche. A big thank you to you guys. I am feeling both proud and excited to be able to contribute to the community that gave me so much to learn. On a personal note, I would like to thank my parents, my brother Ajay, and Sheethal for their support and encouragement. A special thanks to Ravindra Vikram Singh for helping me get started on this project.

Credits Author Vijay Joshi Reviewers Anis Ahmad Md.

Credits Author Vijay Joshi Reviewers Anis Ahmad Md. Mahmud Ahsan Joe Wu Shameemah Kurzawa Acquisition Editor Chaitanya Apte Development Editor Neha Mallik Technical Editors Mohd. Sahil Hithesh Uchil Editorial Team Leader Aanchal Kumar Project Team Leader Ashwin Shetty Project Coordinator Michelle Quadros Proofreader Mario Cecere Indexer Hemangini Bari Production Coordinator Aparna Bhagat Cover Work Aparna Bhagat

PHP jQuery Cookbook Copyright 2010 Packt Publishing

PHP jQuery Cookbook Copyright 2010 Packt Publishing All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews. Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the author, nor Packt Publishing, and its dealers and distributors will be held liable for any damages caused or alleged to be caused directly or indirectly by this book. Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information. First published: December 2010 Production Reference: 1081210 Published by Packt Publishing Ltd. 32 Lincoln Road Olton Birmingham, B27 6PA, UK. ISBN 978-1-849512-74-9 www.packtpub.com Cover Image by Vinayak Chittar (vinayak.chittar@gmail.com)


SQL SERVER AS A PLATFORM FOR WEB SERVICES general, authentication is providing information, be it a user ID and password or a token containing a Kerberos ticket, to identify yourself to the application and prove that you are who you claim to be. Once you have been authenticated, SQL Server knows who you are, and your SQL Server roles and permissions authorize you to access various resources. The parameters AUTHENTICATION, AUTH_REALM, and DEFAULT_LOGIN_ DOMAIN determine what mechanism a user uses to identity herself to SQL Server. There are four AUTHENTICATION choices, analogous to the choices in IIS. ANON This allows anonymous access to the endpoint. The user does not have to identify herself to SQL Server at all. Anonymous access will not be permitted on CLEAR ports in other words, unless SSL is also used. When a user contacts an endpoint using anonymous access, she actually connects to SQLServer through SQLServer s Windows integrated security option using the Windows guest account on the machine. BASIC This choice uses HTTP basic authentication as defined by RFC 2617. Basic authentication requires a user ID and password, which will be transmitted over the network, and therefore is not permitted on CLEAR ports. When basic authentication is used, a user can specify either SQL Server credentials or Windows credentials (user ID and password), and if these credentials have logon access (that is, a record in syslogins), these will be used to log on to SQL Server. DIGEST Using digest authentication consists of hashing the user name and password, using a one-way hashing algorithm and sending the hash output to the server. It is defined in RFC 2617. In Windows operating systems, this requires that the machine be a Windows Active Directory domain controller and is not used frequently. In digest authentication, the user logs in to SQL Server using Windows security (a native SQL Server login is not possible). INTEGRATED Integrated security in Windows

Note: If you are looking for good and high quality web space to host and run your application check Lunarwebhost Adult Web Hosting services


SECURITY CHOICES AND XML WEB SERVICES SQLXML 3.0 Functionality In SQLXML 3.0, the equivalent functionality would be defined by using the IIS Virtual Directory Management for SQL Server GUI tool and adding a new virtual directory. Because we are using native HTTP support rather than an ISAPI application, when we use CREATE ENDPOINT in SQL Server 2005, we are not adding a virtual directory to IIS. Security Choices and XML Web Services The same reasons that HTTP is conveniently usable as a transport also make it a security risk. Firewall administrators routinely leave port 80 open for HTTP traffic. Web spiders and other search engines scour arbitrary servers looking for content to index (or break into). Tools exist that make it easy to execute a denial of service attack on an arbitrary Web server. A server listens to TCP port 80 at its own risk. It is not the case that the HTTP protocol itself is less secure than, say, the TDS protocol; it is just more of a known quantity. The fact that the headers and verbs are text based (a feature shared by SOAP and XML) makes any message readable by default. Arbitrary TDS messages may be run through a binary decoding filter, but when you are using a text-based protocol, the filter is your eyes. Making security explicit and denying access the default behavior is crucial when using HTTP to talk directly to your corporate database. As we mentioned before, SQL Server s HTTP support is turned off by default. Enabling HTTP is required. Endpoints are not started by default, and no endpoints are predefined. This is a big improvement over software that comes with Web servers preinstalled, autostarted, with security turned off. Because SQL Server endpoints are their own Web servers, you use traditional HTTP security protocols for authentication. In addition to authentication, SQL Server s HTTP endpoints allow IP address filtering by using the RESTRICT_IP and EXCEPT_IP parameters on CREATE ENDPOINT. This is similar to the equivalent functionality found in most Web servers. You can permit access to SQL Server endpoints using either SQL Server authentication or Windows integrated security logins on SQL Server. A variety of authentication protocols are supported, including WS-Security (the Web Service standard security authentication protocol), which will be added before SQL Server 2005 ships. Once authenticated, access to SQL Server resources (authorization) is handled by SQL Server permissions. In

Note: If you are looking for good and high quality web space to host and run your application check Lunarwebhost PHP Web Hosting services


SQL SERVER AS A PLATFORM FOR WEB SERVICES If you specify + (plus sign), it means that you want to listen on all possible host names for the machine. * is the default. PATH The path on the Web server that users connect to. You must specify this parameter, and there are special security requirements to be able to use any path that is not a subpath of /sql. PORTS, CLEAR_PORT, and SSL_PORT These define the TCP ports to use and whether you can use unencrypted (CLEAR_PORT) or encrypted (SSL_PORT) communication or both. By default, unencrypted HTTP uses port 80, and SSL encryption uses port 443. Note that in the beta release of SQL Server 2005, if you want to use SSL, you must have an IIS server running on the same machine with a server certificate installed on it. COMPRESSION This defines whether the endpoint uses HTTP compression. Because SOAP messages can be rather verbose but, being XML- based, are prone to size improvements when compression algorithms are used, that is usually a performance improvement. You must ensure that your clients can deal with the compressed message format, however. As an example of the parameters we ve defined so far, the following CREATEstatement: CREATE ENDPOINT myendpoint STATE = STARTED AS HTTP ( SITE = * , PATH = /sql/mydatabase , PORTS = (CLEAR), COMPRESSION = ENABLED ) GO would partially define an endpoint with the symbolic name myendpoint that listens for requests at http://myservername/sql/mydatabase on port 80. Because security information is missing, the CREATE statement would not succeed; it s only for illustration. This endpoint is available at SQL Server startup. Note that myendpoint is only a symbolic name that identifies the endpoint in the SQL Server metadata and has no bearing on the physical HTTP endpoint. In this example, myservername is the DNS name of our machine that is running SQL Server. We specified this by using the SITE= * parameter, or since SITE= * is the default, we could have left it out all together. As nice a definition as this is, we can reach SQL Server but have no permission to do anything yet. We need to address security and add the FOR SOAPportion of the definition for that.

Note: If you are looking for good and high quality web space to host and run your application check Lunarwebhost Cheap Web Hosting services


PARAMETERS THAT RELATE TO SERVING HTTP Defining whether you can invoke specific procedures, arbitrary batches, or both Defining the exact format of the SOAP message Endpoint State First, we d like to point out that no HTTP endpoints are defined by default in SQL Server. When you install a fresh version of SQL Server on a .NET Server machine, you have no HTTP connectivity. Someone with administrative privileges has to define and enable HTTP endpoints before they are available; this behavior is for the sake of added security. All endpoints can be defined with state parameters. STATE When SQL Server comes up, it tries to establish an HTTP listener on the sites, paths, and ports that you specify, if STARTED is selected. If STOPPED is selected, the endpoint does not automatically service requests at startup time, but an administrator can enable it by using ALTER ENDPOINT… STATE=STARTED. Note that STOPPED is the default. If you specify DISABLED, SQL Server must be stopped and restarted for the endpoint to be enabled. Note that you can also enable or disable HTTP for the entire SQL Server instance by using the system stored procedure sp_configure. The entire T-SQL statement would look like this. option 0 turns it off option 1 turns it on sp_configure enable http , {0 | 1} Parameters That Relate to Serving HTTP Let s talk about Web server information, deferring the security information until a later section. There are a few parameters to CREATE ENDPOINT that are usually specified in the IIS metabase if you are using the IIS Web server. Because SQL Server is acting as the Web server in this case, these parameters must be defined in the DDL statement. These were not needed in SQLXML 3.0 because you were using IIS as a Web server. The relevant parameters are as follows. SITE This is the name of the Web site ( Web server ) that will be used by the client when connecting. If you specify * (asterisk), it means that you want to listen on all possible host names for the machines that are not otherwise explicitly reserved by other programs that serve HTTP (like IIS).

Note: If you are looking for good and high quality web space to host and run your application check Lunarwebhost Java Web Hosting services


SQL SERVER AS A PLATFORM FOR WEB SERVICES time correlate these DDL statements with the COM object model that you would be using if you use SQLXML 3.0. The complete syntax for cataloging an HTTP endpoint definition in Transact-SQL follows. CREATE ENDPOINT endPointName [AUTHORIZATION ] [ STATE = { STARTED | STOPPED | DISABLED } ] AS HTTP ( [ SITE = { * | + | webSite } ,] PATH = url , PORTS = ({CLEAR | SSL} [,... n]) [, CLEAR_PORT = clearPort ] [, SSL_PORT = SSLPort ] , AUTHENTICATION =({ANON | BASIC | DIGEST | INTEGRATED} [,...n]) [, AUTH_REALM = { realm | NONE } ] [, DEFAULT_LOGON_DOMAIN = { domain | NONE } ] [, COMPRESSION = { ENABLED | DISABLED } ] [, RESTRICT_IP = { NONE | ALL } [, EXCEPT_IP = ({ <4-part-ip> | <4-part-ip>: } [,...n]) ] ) [ FOR SOAP ( [ { WEBMETHOD [ namespace .] methodalias ( NAME = three.part.name [, SCHEMA = { NONE | STANDARD | DEFAULT }] [, FORMAT = { ALL_RESULTS | ROWSETS_ONLY }]) } [,...n] ] [ BATCHES = { ENABLED | DISABLED } ] [ , WSDL = { NONE | DEFAULT | sp_name } ] [ , SESSIONS = { ENABLED | DISABLED } ] [ , SESSION_TIMEOUT = {int | NEVER}] [ , DATABASE = { database_name | DEFAULT } ] [ , NAMESPACE = { namespace | DEFAULT } ] [ , SCHEMA = { NONE | STANDARD } ] [ , CHARACTER_SET = { SQL | XML }] ) This syntax, seen in its entirety, may seem imposing at first. So to start with, let s break it down into its component pieces. Note that endpoints can be owned by a specific user by specifying the AUTHORIZATION keyword, just as with other SQL Server database objects. The parameters in CREATEENDPOINT that are used by HTTP endpoints are divided into these groups of functionality: Endpoint state Serving HTTP Authentication

Note: If you are looking for good and high quality web space to host and run your application check Lunarwebhost Cheap Web Hosting services