Announcing Toxic – an Ajax toolkit

Overview

Toxic is an AJAX toolkit, or framework, for creating rich web applications. It handles the tedious and repetetive tasks involved in integrating a client created using html and javascript with a server backend. Currently there is only a PHP5 backend available. It should be fairly straightforward to add backends in other languages.

Toxic handles the communication that takes place between the client and server. It can also be used to automate validation and sending of form fields in an application.

One difference between Toxic and other frameworks is that you do not need to generate code in any way.

Toxic can:

• Directly call methods in PHP classes from javascript.
• Bind form fields to method calls with automatic validation.
• Create callbacks that directly call javascript functions from the backend.
• Automatically transform javascript variables to PHP parameters.
• Send any javascript variable or object with associated keys.
• Automatically transform PHP exceptions into javascript exceptions.

Synchronous/asynchronous

The default mode for Toxic is synchronous. In this mode any exceptions on the server side will be automatically translated into a javascript exception.

If you want a call to be asynchronous you only need to bind a callback to a method call. All further calls to that specific method will be done asynchronously. When calls are made asynchronous a default timeout is used. This can be changed by a public property in the RemoteObject class.

Multiple requests

It is possible to have one RemoteObject that process several asynchronous calls concurrently. Using this excessively is not tested and probably not a good idea.

Hard v soft callbacks

Toxic let you create callbacks in two different modes. Hard callbacks are used by default and are also the simplest. A hard callback gives you the ability to create a javascript function with your own parameters. This javascript function is then called directly from the server side without any fuzz.

A soft callback gives you more control in that your javascript function only receive one parameter, the RemoteResult object. This gives you access to all the data received as well as the native request object with all the HTTP headers.

Serialization

All data transferred between client and server is serialized in a slimlined XML format. Before any server side code parses the data the XML is validated against a DTD to enforce the correct format. The format is inspired by JPSpan.

<!ELEMENT class (a*|i*|d*|b*|n*|s*|u*)*>
<!ATTLIST class name CDATA #REQUIRED
                method CDATA #IMPLIED
                error CDATA #IMPLIED>
<!ELEMENT a (a*|i*|d*|b*|n*|s*|u*)*>
<!ATTLIST a id ID #IMPLIED
            k CDATA #IMPLIED>
<!ELEMENT i EMPTY>
<!ATTLIST i id ID #IMPLIED
            k CDATA #IMPLIED
            v CDATA #REQUIRED>
<!ELEMENT d EMPTY>
<!ATTLIST d id ID #IMPLIED
            k CDATA #IMPLIED
            v CDATA #REQUIRED>
<!ELEMENT b EMPTY>
<!ATTLIST b id ID #IMPLIED
            k CDATA #IMPLIED
            v CDATA #REQUIRED>
<!ELEMENT n EMPTY>
<!ATTLIST n id ID #IMPLIED
            k CDATA #IMPLIED>
<!ELEMENT s (#PCDATA)>
<!ATTLIST s id ID #IMPLIED
            k CDATA #IMPLIED>
<!ELEMENT u (#PCDATA)>
<!ATTLIST u id ID #IMPLIED
            k CDATA #IMPLIED>

Validation & sanitizing

Using Toxic does make things easier on the server side. You don’t have to deal with all the $_POST/$_GET variables. The XML serialization format is enforced by a DTD.

Still Toxic does not free the receiving method of the task to properly validate and sanitize incoming parameter values.

GET, POST and rfc 2616

What about rfc 2616 and HTTP status then? It is said that the GET method should never result in data being altered. Toxic use the POST method only. This could be called cheating but hey . Read more on this topic…