Using PHP Object values in AJAX

I开发者_如何学C am working on a pet-project. I have a php class. in the HTML, I make instances of that object. So the same page can contain many instances. now, I have to make ajax calls. the ajax call is based on the instances of the object. the data sent in ajax calls is can contain names of database tables and such. I was wondering how safe that is. any thoughts?

An attacker would like to know:

1. how to slip something in,
2. what to slip in.

You are giving away number 2 for free.

It is better to call a function, which knows the fields of the DB to query and takes passed values as parameters.

Well, consider this case:

a) You have a Javascript function that does an AJAX call to perform a query on your server, and it's something like:

function doQuery(tablename, fieldname, whereclause) { ... }

b) On the server, you dynamically build a query using the passed over parameters of that AJAX call:

$query = "SELECT $fieldname FROM $tablename WHERE $whereclause";

What's to stop a malicious user from injection a call to your AJAX function with

fieldname = '*'
tablename = 'mysql.user'
whereclause = '1=1'

You end up with

SELECT * from mysql.user WHERE 1=1

and your entire MySQL username/password collection goes happily out the door.

Never ever EVER allow user-supplied data control what your code does, especially when it comes to interfacing with "outside" systems such as a database.