When you call a PHP script with AJAX, you can have that PHP script, you can add loads of code to that PHP script and make it do all kinds of computations, or you can do these computations before making the AJAX call, and get the PHP script only to do the bare minimum. For example, lets say you use AJAX to add and modify rows in a MySQL database table and you use this for multiple purposes (i.e. you might need to add a new row to a table, or you might need to edit a specific field, or might need to add a row then edit another one etc.). The bare minimum would be if you determine which type of action to perform beforehand then just pass the SQL query string to the PHP script. Or you could pass a few variables to the PHP script and let it determine what SQL query it needs to use. Which approach is better?
Is it better to make the AJAX script do all the work, or vice versa?
Posted 20 December 2013 - 07:59 AM
Passing an SQL query around where people can see it is fraught with all sorts of dangers.
Posted 20 December 2013 - 11:55 AM
100% agree with trq.
Think of the browser as an input method for the user to pass/request information from the server. You can never trust anything coming from the browser. It doesn't matter if it is a form post of an AJAX request. If you have a form with "hidden" fields, a user can manipulate those. If you have a select list in a form, a user can pass any value for that field - not just the ones you put in the list.
I do not always test the code I provide, so there may be some syntax errors. In 99% of all cases I found the solution to your problem here: http://www.php.net
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users