Jump to content


Photo

Is it better to make the AJAX script do all the work, or vice versa?


  • Please log in to reply
2 replies to this topic

#1 CrimpJiggler

CrimpJiggler

    Advanced Member

  • Members
  • PipPipPip
  • 52 posts

Posted 20 December 2013 - 04:57 AM

When you call a PHP script with AJAX, you can have that PHP script, you can add loads of code to that PHP script and make it do all kinds of computations, or you can do these computations before making the AJAX call, and get the PHP script only to do the bare minimum. For example, lets say you use AJAX to add and modify rows in a MySQL database table and you use this for multiple purposes (i.e. you might need to add a new row to a table, or you might need to edit a specific field, or might need to add a row then edit another one etc.). The bare minimum would be if you determine which type of action to perform beforehand then just pass the SQL query string to the PHP script. Or you could pass a few variables to the PHP script and let it determine what SQL query it needs to use. Which approach is better?



#2 trq

trq

    Advanced Member

  • Administrators
  • 30,732 posts
  • LocationSydney, Australia.

Posted 20 December 2013 - 07:59 AM

Passing an SQL query around where people can see it is fraught with all sorts of dangers.


http://thorpesystems.com | http://proemframework.org | http://github.com/trq

SmtpCatcher - A very simple mock sendmail useful for testing PHP mail scripts.
OPM - My Linux package manager.


#3 Psycho

Psycho

    Advanced Member

  • Gurus
  • 10,403 posts
  • LocationCanada

Posted 20 December 2013 - 11:55 AM

100% agree with trq.

 

But, to add broader answer. You should never have an "business logic" in JavaScript - or at least you should never rely upon it. You cannot control anything that is done in JavaScript. Since JavaScript is executed client-side, it is a simple matter for someone with a modicum of knowledge to pass malicious data. For example, if you have a form that requires an email address. You absolutely need to do that validation in PHP code. However, it wouldn't be a bad idea to also add some JavaScript code to do that validation to give the user some immediate feedback. Just know that you cannot rely upon the JavaScript validation.

 

Think of the browser as an input method for the user to pass/request information from the server. You can never trust anything coming from the browser. It doesn't matter if it is a form post of an AJAX request. If you have a form with "hidden" fields, a user can manipulate those. If you have a select list in a form, a user can pass any value for that field - not just the ones you put in the list.

 

All business logic must be performed on the server. Only use JavaScript to enhance the user experience.


The quality of the responses received is directly proportional to the quality of the question asked.

I do not always test the code I provide, so there may be some syntax errors. In 99% of all cases I found the solution to your problem here: http://www.php.net




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Cheap Linux VPS from $5
SSD Storage, 30 day Guarantee
1 TB of BW, 100% Network Uptime

AlphaBit.com