This applies to Joomla AjaxChat1.0.x only. AjaxChat2.0.x will use an API with more functionality.
Each message received by a user in the chat system will first go through the built in filters, which filter out HTML, and translate BBCode and Smilies to their HTML equivalents. Each step is optional and configured in the AjaxChat configuration under.
You can however implement your own PHP based Filters. These custom filters are blocks of PHP code that will be executed when a message is received on the server. This is executed only when the message is received, and before it is saved, thus it is only executed once. Each request for the message by other users in the chat system do not re-invoke the filters, thus the load on the server is low.
To implement a custom PHP filter, log into the Joomla Admin Panel. Then navigate to:
Component -> AJAX Chat -> Custom Filters
You will be presented with the existing custom filters.
Click the "Add" button.
This will create a new row at the top of the existing filters, where you can fill in the function name, and the PHP code to run.
Function Name:
The function name must be any valid PHP function name, which means it must start with a alphabet, and can include numbers and the _ character.
Custom PHP Code to Run
The PHP code must be valid PHP code. You must remember that the PHP code is executing within a function, whose name you gave in the "Function Name" field.
The only parameter passed to the function is $string, which represents the message text. You can manipulate the $string variable, and then return it so that the chat system will apply the changes to the actual message.
Example 1: Add a horizontal line after every message
$string .= '<hr />';
return $string;
Here we simply append "<hr />" to the end of the received message.
Example 2:
Change any instance of the word "test" to bold format.
return str_replace('test', '<b>test</b>', $string );
Here the PHP function str_replace() will replace all occurrences of the first parameter "test" with the second prameter "<b>test</b>" in the third paramter $string, which is the message. We then return the manipulated $string variable.
Sending email when a particular message is received:
Let's say you want to know when ever someone says your name in the chat room. Your name is John. You can create a custom filter, that will send you an email when ever someone says John in the chat room.
$match = preg_match("/(^| |,)john( |$|\.)/i", $string, $matches);
if ($match) {
mail('john'.'@'.'example.com', 'Someone Said your Name', 'Your name was uttered in your chatroom in the message: '.$string);
}
Now if you place that in a custom filter, and say call it "say_my_name" then it would email you when ever someone said john.
The preg_match() function takes a regular expression (a pattern) and looks for matches of that pattern in the second argument, $string.
The reason we didn't do a simple string match is because we want to match just the word "john" which can either be in between two spaces, or at the beginning or end of a sentence. So we need the pattern: "/(^| |,)john( |$|\.)/i", which can be improved I bet.
Querying the database when a message is received:
You may want to query the database when the message is received. This can easily be done using the Joomla API. This example is with the Joomla1.0 API, which is the API AjaxChat1.0 uses.
To query the database, you first need to get a reference to the $database object. Since we are inside a function, you will have to use the "global" keyword.
global $database;
Then you can use the methods provided by $database.
$query = "select * from #__ajaxchat_sessions";
$database->setQuery($query);
$sessions = $database->loadObjectList();
The above would retrieve every available session in the AjaxChat sessions table.
Here is an example working custom filter that will replace very username with a link to their Community Builder Profile page.
global $database;
// get words from chat msg
$users = explode(" ", get_magic_quotes_gpc() ? stripslashes($string) : $string, 100);
// escape strings for mysql query
foreach($users as $i=>$user) {
$users[$i] = "'".mysql_real_escape_string($user)."'";
}
// do mysql query
$query = "select id, username from #__users where username in (".implode(',', $users).")";
$database->setQuery($query);
$rows = $database->loadObjectList();
foreach($rows as $row) {
$string = preg_replace("/(^| )(".$row->username.")( |$)/i", "$1<a href=\"".sefRelToAbs('index.php?option=com_comprofiler&task=userProfile&user='.$row->id)."\" target=\"_blank\">".$row->username."</a>$3", $string);
}
return $string;
Security Guidelines for Custom Filters:
To ensure the security of your chat application, you must understand a few security concepts in Joomla and AjaxChat.
Each message received on the AjaxChat server, is first stripped of HTML (if enabled) and then escaped for input into the MySQL server.
Stripping HTML:
Stripping the HTML ensures that no JavaScript, Actionscript or other client side scripting can be embedded in a message. This applies to both the viewing of the message in the admin panel, as well s by chatters. Client side scripting can be used in a number of exploits that can lead to access of your Joomla Admin Panel by a remote attacker using an active session.
Escaping strings for MySQL query:
Escaping the message makes sure there are no MySQL injections inside the message. MySQL injection can directly alter the database and thus allow attackers to read the database, or modify it so that they can access other services on your server, such as the Joomla Admin panel.
In AjaxChat both of these are very important due to the frequency of messages saved to the database, as well as displayed to users and the admin in the Joomla admin panel.
When you create a custom filter, you must make sure you do not open an exploit. To do this, make sure you strip all HTML from user input, as well as escape any string you will use to query the database.
Please be aware that user input does not mean direct input from the user, it can be such as thing as the users name, or an article title. If you do not know the range of characters available in a string you use, strip it, escape it before performing actions on it.
