Is it better to make the AJAX script do all the work, or vice versa?

[CrimpJiggler]

When you call a PHP script with AJAX, you can have that PHP script, you can add loads of code to that PHP script and make it do all kinds of computations, or you can do these computations before making the AJAX call, and get the PHP script only to do the bare minimum. For example, lets say you use AJAX to add and modify rows in a MySQL database table and you use this for multiple purposes (i.e. you might need to add a new row to a table, or you might need to edit a specific field, or might need to add a row then edit another one etc.). The bare minimum would be if you determine which type of action to perform beforehand then just pass the SQL query string to the PHP script. Or you could pass a few variables to the PHP script and let it determine what SQL query it needs to use. Which approach is better?

[trq]

Passing an SQL query around where people can see it is fraught with all sorts of dangers.

[Psycho]

100% agree with trq.

 

But, to add broader answer. You should never have an "business logic" in JavaScript - or at least you should never rely upon it. You cannot control anything that is done in JavaScript. Since JavaScript is executed client-side, it is a simple matter for someone with a modicum of knowledge to pass malicious data. For example, if you have a form that requires an email address. You absolutely need to do that validation in PHP code. However, it wouldn't be a bad idea to also add some JavaScript code to do that validation to give the user some immediate feedback. Just know that you cannot rely upon the JavaScript validation.

 

Think of the browser as an input method for the user to pass/request information from the server. You can never trust anything coming from the browser. It doesn't matter if it is a form post of an AJAX request. If you have a form with "hidden" fields, a user can manipulate those. If you have a select list in a form, a user can pass any value for that field - not just the ones you put in the list.

 

All business logic must be performed on the server. Only use JavaScript to enhance the user experience.