0

How to securely send additional data/parameters via $.ajax for filtering?

I'm trying to send additional data/parameters via $.ajax for additional filtering of a returning json. When sending a single term, my setup looks like this:

javascript: 

$.ajax({
  url: "/source.php",
  dataType: "json",
  data: {
    term: request.term
  },

Console:

GET .../source.php?term=valueA1

PHP:

$term = trim(strip_tags($_GET['term'])); 
$term = preg_replace('/\s+/', ' ', $term);

$a_json = array();
$a_json_row = array();

$a_json_invalid = array(array("id" => "#", "value" => $term, "label" => "Only letters and digits are permitted..."));
$json_invalid = json_encode($a_json_invalid);

if(preg_match("/[^\040\pL\pN_-]/u", $term)) {
  print $json_invalid;
  exit;
}

if ($data = $mysqli->query("SELECT * FROM accounts WHERE name LIKE '%$term%' OR code LIKE '%$term%'")) {
while($row = mysqli_fetch_array($data)) {
    ...
}
}

Now, when adding/sending the additional data/parameters (if available) my setup looks like this: 

$.ajax({
  url: "/source.php",
  dataType: "json",
  data: {
    term: request.term,
    tags: $('#input-newsearch-2').val()
  },

.val() of $('#input-newsearch-2') can be: 

$('#input-newsearch-2').val() = 
$('#input-newsearch-2').val() = valueA1
$('#input-newsearch-2').val() = valueA1,valueA2
$('#input-newsearch-2').val() = valueA1,valueA2,valueA3

... and so on.

Console: 

GET source.php?term=valueA1&tags=
GET source.php?term=valueA2&tags=valueA1
GET source.php?term=valueA3&tags=valueA1%2CvalueA2
GET source.php?term=valueA4&tags=valueA1%2CvalueA2%2CvalueA3

Is it possible to send a comma seperated array like this and how should the php look like to use tags for additional filtering (AND WHERE)?

Edit: This is not a dublicate to the referenced answer since I'm sending a possible array as second parameter. Also it doesn't answer hoe then to fetch it in php und how to use it in the query

Improve this question
0

1 Answer 1

Reset to default
0

If you want it to be truly secure, you need to put the data inside the payload instead of in the URL or Query string.

See this relevant question: Send JSON data with jQuery

Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

While this link may answer the question, it is better to include the essential parts of the answer here and provide the link for reference. Link-only answers can become invalid if the linked page changes.
Could you provide an example suitable to my case since I'm sending a possible array as second parameter? Also you didn't answer how I then should fetch it in php und can use it in the query
I'm sorry, I have never worked with php, but you just need to access the data payload instead of the params.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.