y

nl
O
Session 10

se
rU
te
en
JSON in Real World
C
h
ec
pt
rA
Fo
 Objectives

y
nl
o Describe the support of different browser

O
and programming languages for JSON

se
o Describe JSON content types
o Explain how to use JSON for Web and Data

rU
Storage

te
o Compare JSON with relational databases

en
o Identify security and data portability issues
with respect to JSON
C
h
ec
pt
rA
Fo

<?xml>
© Aptech Ltd. Modern Markup for Data Interchange/Session 10 2
 Support for
JSON

y
nl
o Each major programming language can

O
incorporate JSON, natively or through

se
libraries.

rU
o This is possible by incorporating two

te
functionalities namely:

en
▪ Parsing
▪ Formatting C
h
ec
pt
rA
Fo

<?xml>
© Aptech Ltd. Modern Markup for Data Interchange/Session 10 3
 JSON with C# and
Java

y
nl
o These languages support statically typed

O
classes and not objects of HashMap or

se
Dictionary type.

rU
o The solution is to use a library along with a

te
custom code for converting these structures

en
into static type instances.
C
o The Gson library from Google is one such
h
library that resolves the issue.
ec
pt
rA
Fo

<?xml>
© Aptech Ltd. Modern Markup for Data Interchange/Session 10 4
 What is Gson

y
nl
Is an open-source Java library for transforming a Java

O
object to JSON data and vice-versa.

se
Offers easy mechanisms such as constructor (factory

rU
method) and toString().

te
Functions well with arbitrary Java objects, involving the

en
pre-existing ones.

C
Serializes and deserializes huge data without any issues.
h
ec

Is convenient to learn and use by only using toJson()

pt

and fromJson().
rA
Fo

<?xml>
© Aptech Ltd. Modern Markup for Data Interchange/Session 10 5
 JSON with
PHP

y
nl
o From 5.2.0 version, the extension for JSON

O
is packaged into PHP.

se
o Following table shows the functions for

rU
encoding and decoding JSON structures:

te
Function Description

en
Serializes the stated array or object
json_encode
C
and returns it in the JSON format if
successful or FALSE.
h
ec

json_decode Deserializes JSON data and returns

the suitable PHP type.
pt

json_last_error Returns the error that happened

rA

last.
Fo

<?xml>
© Aptech Ltd. Modern Markup for Data Interchange/Session 10 6
 MIME Type of
JSON

y
nl
o Is also called media type or content type.

O
se
o Is a two-part identifier composed of a type
and subtype isolated by a slash.

rU
te
o Aids in identifying the type of formatted

en
content being sent over the Web.

o Is ‘application/json’ for JSON. C

h
ec

o Is unofficially ‘text/json’ or
pt

‘text/Javascript’.
rA
Fo

<?xml>
© Aptech Ltd. Modern Markup for Data Interchange/Session 10 7
 Applications of
JSON

y
nl
• For exchanging data to and from APIs
APIs • Popular in social networking sites implementing API

O
se
• For storing data easily in NoSQL databases, as JSON is
easily convertible into JavaScript

rU
NoSQL

te
Asynchronous • For replacing XML when new data is fetched by a

en
JavaScript and JSON loaded Web page in a browser
(AJAJ)

C
h
• For replacing Simple Object Access Protocol (SOAP) or
JSON-RPC (Remote XML-RPC and for sending several calls and
ec

Procedure Call ) notifications to a server

pt

• For storing metadata

rA

Package Management
Fo

<?xml>
© Aptech Ltd. Modern Markup for Data Interchange/Session 10 8
 JSON HTTP and
Files

y
nl
o JSON displays the data fetched from a Web

O
server efficiently through the

se
XMLHttpRequest object.

rU
o The object exchanges data in the

te
background, which prevents reloading the

en
full page for updates.
C
o Following is the syntax of initializing the
h
object:
ec
pt

variable = new
rA

XMLHttpRequest();
Fo

<?xml>
© Aptech Ltd. Modern Markup for Data Interchange/Session 10 9
 JSON for Data
Storage

y
nl
O
JSON helps in storing data fetched from services and
applications.

se
rU
• Reasons: Simplicity and ‘just adequate structure’

te
en
RDBMS and Structured Query Language (SQL) are now
C
replaced by NoSQL databases for developers who
prefer JSON.
h
ec

• Trends: More implementation of JSON-centric

document databases, JSON in traditional RDBMS’
pt

• Reasons: Developer-friendly and agility

rA
Fo

<?xml>
© Aptech Ltd. Modern Markup for Data Interchange/Session 10 10
 Document versus Relational
Databases

y
nl
O
Document-oriented Relational Databases
Databases

se
Coupling Tighter due to the need Loose
to navigate the

rU
document while
querying

te
Portability and No, due to new query Yes, due to well-defined
Standardization language setup for each SQL query core

en
document store
Optimization Restricted, due to no Fully optimized, due to
C
abstraction between the
logical data structure
abstraction ensured by
highly queryable stored data
h
and its physical storage definition
ec

Consistency and No, due to no support Yes

pt

Normalization for constraints

rA
Fo

<?xml>
© Aptech Ltd. Modern Markup for Data Interchange/Session 10 11
 Benefits of Using JSON in
RDBMS

y
nl
O
se
rU
te
en
Decision Power for: JSON Query as Native
• The data portions to SQL:
be abstracted
• Areas where flexibility
C • Allows querying
randomly across JSON
h
is essential records in tables
ec

• Locations where strict • Allows expanding

schema and constraints systems to use JSON
pt

are essential
rA
Fo

<?xml>
© Aptech Ltd. Modern Markup for Data Interchange/Session 10 12
 JSON versus RDBMS Data
Models

y
nl
O
JSON RDBMS

se
Storage Structure Is array or object. Is a table.

rU
Metadata Can be in a schema, but Is stored in a schema
is not pre-created. generated while creating a
table.

te
Data Retrieval Uses evolving languages Uses SQL.

en
namely, JSON Query
Language (JAQL) and
JSONiq
Sorting C
Is only for arrays. Is for tables.
h
ec

Learning Curve Is smoother. Is time consuming.

pt

Application Is used in several Is in the form of many

programming commercial and
rA

languages. open- source

databases.
Fo

<?xml>
© Aptech Ltd. Modern Markup for Data Interchange/Session 10 13
 Security Issues in JSON

y
nl
o JSON, as a flexible subset of JavaScript, has

O
some security issues.

se
o In the following figure the root cause

rU
increasing the risk of malicious script, a

te
vmarajdoartiassu=ee:val('(' +

en
JSONresponse + ')');
C
h
ec
pt
rA
Fo

<?xml>
© Aptech Ltd. Modern Markup for Data Interchange/Session 10 14
 Issues with Eval()

y
nl
o Most JSON text is syntactically JavaScript.

O
se
o JavaScript interpreter converts JSON into a
JavaScript object without validation.

rU
te
o This increases the risk of authentication

en
forgery, identity and data theft, and misuse
of resources.
C
h
o Solution: JSON.parse() and
ec

JSON.stringify() functions
pt

processing text only in JSON format

rA
Fo

<?xml>
© Aptech Ltd. Modern Markup for Data Interchange/Session 10 15
 XSS and CSRF
Issues

y
nl
O
se
rU
te
en
C
h
ec
pt
rA
Fo

<?xml>
© Aptech Ltd. Modern Markup for Data Interchange/Session 10 16
 XSS and CSRF
Solution

y
nl
O
se
rU
te
By using the jsonify()

en
function
C
h
ec
pt
rA
Fo

<?xml>
© Aptech Ltd. Modern Markup for Data Interchange/Session 10 17
 Implementation Issues

y
nl
O
se
Denial of • Renders a resource or a machine
Service (DoS) on a network unavailable to its

rU
Attack targeted users

te
en
Mass
C
• Maltreats the functioning pattern
h
of record in a Web application
Assignment
ec

for illegitimately changing

Vulnerability confidential data items
pt
rA
Fo

<?xml>
© Aptech Ltd. Modern Markup for Data Interchange/Session 10 18
 Portability Issues

y
nl
O
Unicode Line Null UTF JSON Unsupported
Character Encoding Numbers Data Types

se
Terminators
• Are allowed in • Is allowed in • Involves • Involve • Involve Error,
JSON JSON string if having a few numbers and Date,

rU
without being escaped as escaped floating Undefined,
escaped and “\u0000”, characters integers, Function, and
that they which creates using UTF-16 which are Regular

te
need to be issues with C surrogate distinguished Expression,
backslash strings. pairs, which a by some which JSON

en
escaped for few JSON languages does not
portability. parsers do not only, not by accept.
recognize. all.
C • Have no
h
specifications
ec

for rounding,
overflow, and
pt

precision loss.
rA
Fo

<?xml>
© Aptech Ltd. Modern Markup for Data Interchange/Session 10 19
 Handling JSON Securely

y
nl
o Avoiding eval() by using a JavaScript

O
library available at www.json.org, such as

se
JSON sans eval()

rU
o Ensuring data integrity via

te
XMLHttpRequests

en
C
h
ec
pt
rA
Fo

<?xml>
© Aptech Ltd. Modern Markup for Data Interchange/Session 10 20
 Summary 1-
2

y
o Modern programming languages incorporate

nl
JSON via libraries or native parsing support.

O
se
o Gson is an open-source Java library for

rU
converting a Java object into JSON and vice-
versa.

te
en
o Formal MIME type for JSON text is
‘application/json’. C
h
o JSON is used in several applications, such as in
ec

APIs, NoSQL databases, RDBMS’, Web

pt

development, and application packages.

rA
Fo

<?xml>
© Aptech Ltd. Modern Markup for Data Interchange/Session 10 21
 Summary 2-
2

y
o Unlike relational databases, JSON does not

nl
have tables, pre-created metadata, and

O
support for SQL.

se
rU
o Using eval() for parsing JSON data can
lead to security attacks such as XSS and

te
CSRF.

en
o JSON is prone to DoS attack and vulnerability
of mass assignment.
C
h
ec

o Developers can secure JSON structures by

pt

replacing eval() with a JavaScript

rA

library and/or using XMLHttpRequests.

Fo

<?xml>
© Aptech Ltd. Modern Markup for Data Interchange/Session 10 22