[Secure AJAX for PHP] SAJA

Updates | Why Use SAJA? | Demo | Projects | Notes on Security | Documentation | Discussion / Forum | Contact | Download

SAJA - Secure Ajax For PHP

Saja is a lightweight, open-source AJAX scripting engine for PHP4/5, with optional secured data transfer. It is designed for the speedy creation of simple, secure, and maintainable AJAX applications, without the need to write any JavaScript.

SAJA v2.8 (Full UTF-8 Support!) - Release Date: July 18, 2007

SAJA now supports the full UTF-8 character set.

Changes for v2.8:

• Extended ASCII Mode (default) - Works for most european character sets and avoids problems with PHP UTF-8 string manipulation
• Full UTF-8 Mode - Allows full UTF-8 character set. Be wary of PHP's UTF-8 limitations and you will be fine - more info in documentation.
• New Callback Methods - $this->alert('my string'); and $this->submit('my_form_id');

SAJA v2.7 - Release Date: February 23, 2007

The major addition to this release is the browser history functionality - you can optionally choose to have saja requests register in the browser history so the navigation buttons work properly where appropriate. Also changed the implementation of the stored key to eliminate session issues.

Changes for v2.7:

• Browser History - added a $saja->runWithHistory() method
• Session Changes - no more saja(true) - the session is always preserved.

SAJA v2.6 - Release Date: October 24, 2006

The major addition to this release is the ability to define multiple function libraries. The problem of having one massive ajax function library goes away! Designed for well-organized and more maintainable applications.

Changes for v2.6:

• Multiple callable user-defined function libraries - added support for multiple function libraries (instead of all user functions in one massive file)
• Function-level encryption deprecated - function name encryption deprecated (function name is now stored in the session where it is never seen by the end user)
• User-defined libraries simplified - user function libraries simplified (no more parent:: class)

Please see the new documentation on managing your function libraries.

SAJA v2.5.1 - Release Date: October 19, 2006

This is a minor update. Only saja.js was patched. I have also made a few small changes to the demo page.

Changes for v2.5.1:

• Comma Bug Fix - Fixed a bug that caused commas to break saja in some cases.
• Status Indicator Behavior - If you do not call $saja->status() the status indicator will no longer change the mouse pointer to an hourglass.

SAJA v2.5 - Release Date: October 05, 2006

Changes for v2.5:

• Security Improvements - Saja is now using a much nicer and much more secure method for executing the server side functions.
• PHP Serialization - All input is now escaped & serialized before being passed into PHP. This makes everything generally much cleaner.
• No more $saja->send() - This is now done automatically if you call any of the response functions. You can still call or return $this->send() as done in previous versions if needed.
• Easy Redirect Method - you can now call $this->redirect('http://myurl.com'); in your response functions to direct the user to a new page. (Useful for form completion)

SAJA v2.3 - Release Date: September 01, 2006

Changes for v2.3:

• Valid Functions Array - There is no more "valid functions" array needed, and the level of security is not compromised.
• No more "$saja = new saja;" on server side - New Class extension lets all saja methods be refered to with the $this keyword, instead of requiring you to instantiate the class each time.
• secure_mode() deprecated - Secure mode is now enabled by default. To enable secure HTTP, call $saja->secure_http();
• seamless integration with JavaScript Variables - Now you can pass any javascript variable (primitives, objects, HTML DOM Elements, or Arrays) into SAJA just as you would in Javascript. The element quick-selectors are still available. (i.e. myPHPfunction(document.getElementById('formInput').value) and myPHPfunction(formInput:value) are equivalent).

SAJA v2.2 - Release Date: July 23, 2006

Changes for v2.2:

• RC4 Fix - secure HTTP mode was broken in version 2.1
• E_ALL Fix - SAJA will now work in E_ALL mode with no messages
• URL Decoding Fix - Some characters were breaking SAJA requests

SAJA v2.1 - Release Date: July 08, 2006

Changes for v2.1:

• Session Fix - Even if the session cookie is not properly passed, secure mode will still work
• Secure Mode Fix - secure_mode() now clears the HTTP encryption key and uses function call encryption only. Use secure_http() for both encrypted data and function calls. secure_functions() has been deprecated.
• Strict Vars - No more undefined vars, SAJA will now be error free on systems where the error mode is set to E_ALL.
• Status Indicator Hidden - Status indicator now starts completely hidden, regardless of style settings

SAJA v2.0 - Release Date: May 13, 2006

Secure requests are now fully encrypted. Secure mode now allows SAJA to send encrypted POST data over non-encrypted HTTP channels. Please see additional notes on the true security level of SAJA.

Changes for v2.0:

• Encrypted POST Data - The secure_mode() method now encrypts the actual data being sent to the server as well as the representative PHP function you are calling. SAJA requests may now be considered fully encrypted.
• Performance Options - For fastest performance and no security, do not call any of the saja secure mode functions. For function/validation-level security use secure_functions(), for data-level security use secure_http(), and for both, use secure_mode().
• Consolidated SAJA Library - Added all SAJA functions within the saja object. No more floating functions.
• JS Debug Removed - The "Element does not exist" debug message was removed from the JS file. Use native JavaScript debugger instead.

SAJA v1.7 - Release Date: May 01, 2006

Made a few minor changes. Note that when upgrading to a new version of SAJA, you DO NOT need to overwrite your saja.functions.php file. Always back up your current files, especially if you have modified them.

Changes for v1.7:

• OO JavaScript - All saja JavaScript is now contained in a single JS object, so it will not pollute the namespace of your application.
• Show / Hide Fix - Fixed the show / hide methods to also work with non-block elements.
• Easier Styling - Added a style method, allowing you to set the css text directly.

SAJA v1.6 - Release Date: April 29, 2006

SAJA has finally been added to the official SourceForge.net file repository (it was previously downloaded straight from a file on this website.) Note that when upgrading to a new version of SAJA, you DO NOT need to overwrite your saja.functions.php file. Always back up your current files, especially if you have modified them.

Here is a summary of the changes:

• No More Update Eval! - The initial version of SAJA used the JS "eval" function to update HTML elements on the page due to the "style" attribute being inaccessible via the element[property] syntax. This is now fixed to work if property is something like "style.backgroundColor" without using eval. Eval is still used to execute your JS callback functions and no proplems or complaints have arisen due to using this method.
• SajaStatus Optional - You won't have to worry about getting errors on pages that prefer to not show the "working" indicator. The indicator wil only be shown on pages which you call the "saja_status" method.
• Padded Function Names - The encrypted function calls are now padded to hide the original length of the function name.
• Minor Bug Fix - Fixed a PHP typo that slipped by the debug radar since it was still technically valid PHP code!

SAJA v1.5

Initial release.

System Requirements

Saja is currently implemented through PHP only. It consists of 4 files. You should only need to edit saja.functions.php to get it to work. It is written and tested for PHP4.

This software available under the MIT Licence.