Thought Delimited

NOT doing the tip that I'm about to share has bitten me twice now, so I'm putting this out there as a reminder to myself as well.

The jQuery live() function is an extremely useful function to have when you're adding or removing page elements that have jQuery event handlers assigned to them because using live() ensures that any new element that matches the live() selector gets that event handler automatically.

It's easy to remember to use live() when you're writing your own code that adds and removes DOM elements, but when you're using a plugin that does the adding and removing behind the scenes, you might not think about it.  In one of my applications, I apply the jQuery DataTables plugin to my HTML tables so that the users can sort and filter the data in the tables.  Included in each row are hyperlinks that trigger certain actions via JavaScript/jQuery. 

When I originally assigned the event handlers to these links, I simply used the "click" event handler on them.  The links worked perfectly if they were displayed as part of the initial page load, but any links belonging to rows that appeared later (as the result of a sort, filter, or pagination event in the plugin) did not work because the link elements were actually added by the plugin, and hence did not have the event handlers assigned to them.

In short, if you're using one of the many plugins to enhance HTML tables, and you have elements in each row that have jQuery events assigned to them, make sure you use the live() function to assign those event handlers.

I haven't been blogging much lately, but that's partly because I was on vacation for a week and partly because I was working on this:

http://www.thoughtdelimited.org/android/notetoself/

It's a fairly simple app built with the standard Android API, but it meets MY need for a note/reminder list that is right there on my Android home screen and lets me see all of my reminders without having to go into the application. And being able to dictate my reminder (I put in the dedicated dictation button because my Swype keyboard doesn't have a key for dictation like the stock Android keyboard does) makes it easy to add a quick note if you can tolerate a mistranslation here or there.

This version is free, so if you have an Android device running 2.1 or higher, feel free to check it out.

Right now, there is a small window of opportunity for Android phone owners to acquire the newest "beta" (honestly, it's about as "beta" as Gmail used to be) version of the Swype virtual keyboard app.  It's only available for a few days for folks willing to register for the "beta" program (which is free) at http://beta.swype.com/.  You can't download it from the Android Market, so once the registration system is closed again you'll have to hope someone hacks the app to make it available (which admittedly happened with the initial beta), or buy one of the Android phones that comes with Swype pre-installed (that is Swype's "official" means of distribution).

So as I said already, Swype is a virtual keyboard app.  Once you install it, you can then use it instead of whatever virtual keyboard came installed and set as the default (ah, the freedom to choose...). What's special about it?  Instead of tapping each key (which you can still do if you want), you swipe/drag your finger across the keyboard from key to key to spell out the word you want to input. Even though you cross over numerous unwanted letters and numbers as you move your finger, it still somehow detects which of the keys you cross over with your fingers are the intended letters (maybe somehow detecting the briefest of pauses or the slight change in direction as you start moving to the next one). If it's not sure what you meant to spell, a list of possible choices pops up and you can tap the correct choice.

You lift your finger to complete a word, and if you start to trace out a new word it adds a space after the previous word automatically. There are also a number of special gestures, such as dragging your finger above the keyboard to capitalize the last letter you selected, and swirling your finger over a letter to enter the letter twice. You can see it in action in the videos on the Swype website.

I've been using Swype for quite a while, and I'm can compose text on my Droid a LOT faster with Swype than I could with the stock Android OR iPod Touch keyboard, and it works for me despite the fact that I sometimes hesitate or "take a wrong turn" because I've forgotten where on the keyboard the next letter is.

I strongly recommend that every Android owner take the opportunity presented by this beta offering and try it out for themselves.

A cross-site request forgery (CSRF) occurs when a hacker takes advantage of the fact that users don't always log out of the websites and web applications they visit. The hacker creates a URL or a form that passes valid data to a valid destination on the target website and hopes that a user who is still authenticated to that website clicks that malicious URL or form. If such a user falls into the trap, the target website will process the request just as if the user had executed the action within the target website under normal circumstances.

One common method for preventing CSRF attacks is to generate a unique value every time a user visits a form on the website and store that value both within the user's session and within the form itself as a hidden field. When the form is submitted, the value in the form is checked against the value stored within the user's session, and if they don't match the form submission isn't processed. The next time the user encounters a form (even if it's the same form), a new unique value is generated. Without a way of knowing what that unique value is at any given time, the hacker cannot build a form or construct a URL that simulates a legitimate request, and the attack fails.

Rather than have to remember to create these unique values and include them within every form (or every URL that executed some sort of data operation), and then check the validity of the submitted value on each processing page, I wanted to see if there was a way I could build CSRF security into the structure of my Model-Glue applications.

Read more...

So yesterday, during the first half of the morning keynote at the Google I/O conference, Google made several announcements about the latest version of the Android OS:  version 2.2, codenamed "Froyo."  Here are several links to pages that go through the announcements:

http://android-developers.blogspot.com/2010/05/android-22-and-developers-goodies.html

http://www.dzone.com/links/r/android_22_and_beyond.html

http://www.blog.droidweb.com/2010/05/android-2-2-annoucned-at-google-io-what-it-means-for-you/

A couple of additional notes:

• One of the announcements was that you could initiate actions on your phone via the "the cloud" (the Internet). In the demo, the presenter's assistant was able to get driving directions on his laptop using the Chrome browser and then send those directions to his Android phone by clicking on a certain link. The presenter said that browser initiated an "intent" on the Android device.

  In Android development, an Intent is a messaging object directed at a component (an Activity, a Service, or a Broadcast Receiver) within an Android application and delivers data to the component. Normally, an Intent can either be explicitly addressed to a specific component by name, or it can be implicitly targeted towards any component whose intent filters make them capable of receiving the intent. I'm curious to see how Google will implement this feature to make sure this capability isn't used maliciously.

• Another announcement was that Android 2.2 would allow developers and users to install applications on the SD card in the Android phone rather than in the phone's internal memory, something that many Android users have wanted for a long time.  The Android Developer site already has a documentation page up regarding this feature, which I glanced over.

  When they write an application using the API for Android 2.2 (apps written to an earlier API will NOT be movable to the SD card using the features in Android 2.2), developers can specify one of the following install locations within their application's manifest file:

  • "preferExternal": the app will initially be installed to the SD card automatically unless the SD card is full. The user will have the option to move it to internal storage if they like.

  • "auto": Android will determine the best location for the initial installation for the app, but again the user has the option of moving it.

  • "internalOnly": the app can only be installed in the internal memory of the device.

  The drawback to running an application from the SD card is that all application processes currently active on the SD card are killed whenever the user connects their Android device to their computer and chooses to mount the SD card as an external USB drive. Applications that use certain features can break when this situation occurs, and therefore such applications may have the "internalOnly" install setting in place to prevent problems.

  The documentation also points out that applications installed to the SD card will still store any private user data and databases for the application in the internal memory. So the need for a way to back up the application data was still needed even with the SD installation option, hence the announced feature in 2.2 that application data could be backed up to the cloud.