xmlHttp2 function (var params coding needed!)

In this page where this code is,there is a form of 3 details country,gender,topic

So the idea is to send these 3 details to startChat.php and so that the php can extract the 3 details.

The code is as below

function startChat()
            {
            xmlHttp2 = GetXmlHttpObject();

            if (xmlHttp2 == null)
                {
                alert("Browser does not support HTTP Request");
                return;
                }

            var url = "startChat.php";
            var params = "country,gender,topic";<<<<<<<<<<<<<<<<<<<<<<<what coding this should be?????
            xmlHttp2.open("GET", url, true);
            xmlHttp2.send(params);<<<<<<<<is this correct?????
            xmlHttp2.onreadystatechange = stateChanged2;     开发者_如何学C          
            }

And also i would need help with the startChat.php part

    <?php

include('config.inc.php');
$preference="$_GET[params]";<<<<<<<<<<<<<<<<<<<<<<<<<<<<what coding this should be????????????????????????????????????

include('database.inc.php');
mysql_query("INSERT INTO users (inchat,preference) values('N','$preference')");

echo mysql_insert_id();

mysql_close($con);

?>

Please help,asking sincerely :(

First off, you ought to use a POST request instead of a GET, because it's clear from your code that this request is supposed to change state on the server.

Your params variable should be form encoded. You can do this with encodeURIComponent, like so:

var params = 'country=' + encodeURIComponent(userCountry) +
             '&gender=' + encodeURIComponent(userGender) +
             '&topic=' + encodeURIComponent(userTopic);

Second, you ought to sanitize the data before you insert it into your DB. Otherwise you expose yourself to SQL injection attacks.

<

?php

include('config.inc.php');

// need to create db connection before mysql_real_escape_string is called
include('database.inc.php');

$country = mysql_real_escape_string($_POST['country'], $con);
$gender = mysql_real_escape_string($_POST['gender'], $con);
$topic = mysql_real_escape_string($_POST['topic'], $con);

mysql_query("
    INSERT INTO users(inchat, country, gender, topic)
    VALUES('N','$country', '$gender', '$topic')
");

echo mysql_insert_id();

mysql_close($con);

?>

Note that I've also changed your DB structure. In general, it's best to avoid putting more than one piece of data into a single field (DB normalization).