3

I'm using an ajax call to query a database. I'd like to pass a complex sql query as part of the ajax data. Is this the way I should be doing it?

var myQuery = 'select * from table....';        

$.ajax({
    type: "GET",
    url: 'jsonQuery.php',
    dataType: 'json',
    data: {keyvalue: 2416, q: myQuery},
    success: function(pieData) {
        //do something with the response        
    }

});
Improve this question
1
  • 6
    Well, there's nothing wrong with your syntax, but for security reasons people don't typically send SQL to server... Don't forget all your client script is exposed to everyone, I can change the SQL you wrote in your code to do things I want. You can use a 'verb' like 'get' as a GET parameter and let PHP decide what SQL to execute. Commented Feb 12, 2013 at 16:30

3 Answers 3

Reset to default
4

Yes, there is a better way. Keep the query on the .php page and send a post type which tells you which one to use.

Example:

data: {keyvalue: 2416, q: 2},

Then you take your query that corresponds to number 2 and use that! No need to pass the SQL along!

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

1

As these others say, absolutely don't send straight SQL in the AJAX call. A hacker could easily write their own SQL query to execute whatever code they want to on your database. Insead, you can pass through POST several different field values that you'd like to filter by (for example, a "name" value or "key" or "age_range"). Then, set up the PHP on the receiving end to be smart about when to use these values; if key is present, use that as the identifier and use query X. If key is absent, check for name or other values to perform a search for the right row, and plug them into query Y.

As IngodItrust says, you can also send a POST value that specifies which query to use, ie 

q: 'LongerQuery'

then in the receiving PHP, have several IF or CASE statements which prepare a different query depending on which Q value was present.

My site has a chart generator where a user can change settings for what data goes on the X and Y axes, whether the data are split into different series, and how the data pool should be filtered down if the user only wants to look at a specific demographic. These settings are sent through AJAX/POST when the user clicks a "Generate" button. The receiving PHP page constructs the chart data query based on these 20ish inputs; the resulting queries can look quite quite different depending on the settings the user chose. I'm describing this to illustrate that AJAX can be used to build some extremely flexible and user-responsive queries, without creating a security risk.

Improve this answer

Comments

0

You should not actually pass any SQL to jsonQuery.php directly, if that is what I understand you to mean. To do this will open you up to SQL injection attacks. See http://bobby-tables.com/ of just google the term.

Rather, pass parameters to your script, for example jsonQuery.php?do=SEARCH&itemID=12&type=RED_ONES and create your query within jsonQuery.php using those parameters. Chack each for expected values before though..

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.