I'm really new to AJAX. And I saw this tutorial about how to retrieve database result using ajax http://www.w3schools.com/php/php_ajax_database.asp
Source Code from the URL :
<script>
function showUser(str)
{
if (str=="")
{
document.getElementById("txtHint").innerHTML="";
return;
}
if (window.XMLHttpRequest)
{// code for IE7+, Firefox, Chrome, Opera, Safari
xmlhttp=new XMLHttpRequest();
}
else
{// code for IE6, IE5
xmlhttp=new ActiveXObject("Microsoft.XMLHTTP");
}
xmlhttp.onreadystatechange=function()
{
if (xmlhttp.readyState==4 && xmlhttp.status==200)
{
document.getElementById("txtHint").innerHTML=xmlhttp.responseText;
}
}
xmlhttp.open("GET","getuser.php?q="+str,true);
xmlhttp.send();
}
Is that code secure enough? Any other concerns that I need to check other than server side validation for the security? What is the best practice regarding the security to apply that code?
Thanks and I'm really sorry for the dumb question. T_T
The 'secure enough' part depends on what you do on the server side. At the client, there is a missing part here the "str" value is encoded as proper URL value and hence this could cause some problems.
You should at least use the encodeURIComponent (or escape) method when concatenating url parts.
xmlhttp.open("GET","getuser.php?q="+encodeURIComponent(str),true);