admin管理员组文章数量:1356515
I was looking through some code on a project of mine and thinking about all the php pages that I call with ajax that just run a simple update or insert query and it made me think. What if I could essentially run an insert or update sql query from javascript.
assuming I am using the prototype javascript framework for ajax and php on the server side.
would this work?
js:
<script type="text/javascript">
// table is string containing table name
// fields is an array of field names
// values is an array of values
function mysql_insert(table,fields,values) {
var sql = "INSERT INTO " + table + "(";
for(i=0; i<fields.length; i++) {
sql = sql + "`"+fields[i]+"`";
}
sql = sql + ") VALUES (";
// purposefully used fields array in for loop so we get matching number of values
for(i=0; i < fields.length; i++) {
sql = sql + "'"+values[i]+"'";
}
sql = sql + ");";
var par = 'query='+sql;
var ajax = new Ajax.Request('sql.php',{method:'post',parameters:par,onComplete:function(res) { }});
}
</script>
php:
<?php
include('db.php'); // connect to the mysql server and select database
mysql_query($_POST['query']);
?>
Obviously this is a simple example, just interested to know if this would work and I could replace the lot of small php pages that are each running a separate query?
I was looking through some code on a project of mine and thinking about all the php pages that I call with ajax that just run a simple update or insert query and it made me think. What if I could essentially run an insert or update sql query from javascript.
assuming I am using the prototype javascript framework for ajax and php on the server side.
would this work?
js:
<script type="text/javascript">
// table is string containing table name
// fields is an array of field names
// values is an array of values
function mysql_insert(table,fields,values) {
var sql = "INSERT INTO " + table + "(";
for(i=0; i<fields.length; i++) {
sql = sql + "`"+fields[i]+"`";
}
sql = sql + ") VALUES (";
// purposefully used fields array in for loop so we get matching number of values
for(i=0; i < fields.length; i++) {
sql = sql + "'"+values[i]+"'";
}
sql = sql + ");";
var par = 'query='+sql;
var ajax = new Ajax.Request('sql.php',{method:'post',parameters:par,onComplete:function(res) { }});
}
</script>
php:
<?php
include('db.php'); // connect to the mysql server and select database
mysql_query($_POST['query']);
?>
Obviously this is a simple example, just interested to know if this would work and I could replace the lot of small php pages that are each running a separate query?
Share Improve this question asked Oct 28, 2009 at 9:18 TimTim 9842 gold badges15 silver badges30 bronze badges 1- 4 security threat. it will work, but you have exposed too much information to the public. – Raptor Commented Oct 28, 2009 at 9:24
3 Answers
Reset to default 10Don't do that!
It will allow anyone to do what ever he likes with your database!
He would be able to send any sql mand to your database.
Why don't you hide your SQL statement in your PHP ? It is very dangerous to expose your database schema to public.
Try to pass the data without field names only.
Ghommey absolutely right. If you could afford to redesign your application architecture then I would suggest you to read Advanced Ajax: Architecture and Best Practices. It discussed ajax related security issues and how should you design your application to work with ajax and more interesting the server-side script is in PHP.
本文标签: Use javascript and php via ajax to run MySQL queriesStack Overflow
版权声明:本文标题:Use javascript and php via ajax to run MySQL queries - Stack Overflow 内容由网友自发贡献,该文观点仅代表作者本人, 转载请联系作者并注明出处:http://www.betaflare.com/web/1744021055a2577206.html, 本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌抄袭侵权/违法违规的内容,一经查实,本站将立刻删除。
发表评论