Welcome to the Treehouse Community

The Treehouse Community is a meeting place for developers, designers, and programmers of all backgrounds and skill levels to get support. Collaborate here on code errors or bugs that you need feedback on, or asking for an extra set of eyes on your latest project. Join thousands of Treehouse students and alumni in the community today. (Note: Only Treehouse students can comment or ask questions, but non-students are welcome to browse our conversations.)

Looking to learn something new?

Treehouse offers a seven day free trial for new students. Get access to thousands of hours of content and a supportive community. Start your free trial today.

PHP

Calling a PHP Method with AJAX, secure or not?

Hello, i want to make a bit efficient website and load all pages into a container with AJAX. I can do it in two ways (atleast 2 ways that make sense to me). First way would be loading an AJAX with a method inside, for example "Online Users". The page would be loaded with AJAX and inside the page, i would use a method to show all the Users. The second way, would be to make a AJAX call and get a JSON string and encode it via Javascript and loop out the whole array of users. I guess passing the JSON made by PHP and encoding it in the Frontend would be the most efficient way right?

I read about "Protocol Buffer" but i have no idea how to install it on my Webhost nor how to use it.

1 Answer

Spenser Hale
Spenser Hale
20,778 Points

Hey Damian,

What you are asking can be secure, however to secure you will need to think of some basic web security. For example, when you make the AJAX call to fetch the users; you want to secure that request. Most front-end frameworks will say JSON and having JS print to page would be efficient. Using an standard with JSON also allows you to be flexible with the backend.

Should the the user information by private, ie only visible to other logged in users? If so then how will we authentication and then authorize them to fetch the users over AJAX? Could someone exploit our authentication? Should we use once time numbers or tokens, etc.