Using PHP/Session Variables to secure queries through AJAX

[electricshoe]

I have a php application already built and I'm trying to add AJAX to it (This is mainly a php question though)

 

I need to be able to secure query information that I send between files. Can't just create a file thats like query.php?q="INSERT INTO table (Whatever you want!) VALUES ('ruin my database') and pass that info to it through GET, nor through POST.

 

I understand I could set a session variable with the query string inside it, and pass the session id through ajax, as well as the names of the session variables to call. And by calling those variables the PHP file would then do what it needed as per what variables it was provided.

 

How secure would this be? I've been reading about session hijacking, but it doesn't seem possible. There isn't much you can do with a plain text Session ID to harm my server right? Or with a plain text Session ID, and the session variable Names, but not values. There's no way for a user to set a session variable value short of hacking my server and uploading their own php right?

 

Thanks a lot in advance, I'm trying to become less of a session noob, and more of a session pro!

[Nhoj]

To solve this:

query.php?q="INSERT INTO table (Whatever you want!) VALUES ('ruin my database') and pass that info to it through GET, nor through POST.

 

I'd simply do

query.php?q=1

 

Then, in query.php do something like

 

if ($_GET['q'] == 1) {

    // Do some predefined query that others cant tamper with

}

 

And simply make a different # for as many queries that you need.

[electricshoe]

Thanks for the reply, the problem with that solution is that all of the queries are generated automatically on 2 seperate levels, and several of my pages have the potential to need several hundred different queries (Which is why I'm switching to ajax, to only run the ones I need)