Home/ Questions/Q 6342539
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-24T20:15:37+00:00

I want to send whole sql command through ajax call as a argument. Do

  • 0

I want to send whole sql command through ajax call as a argument. Do I have to do escape it or to do something special about that?

Something like tools.php?database=db2&sql=select * from table

If escaping is necessary

  • how do I do it in javascript/jquery
  • what do I do then in php to read it

NOTE – very specific use-case & system settings

The web server is accessible only from inside our internal network. If anybody breaks in they can get all the databases so my ‘little application’ with I am improving via this question is not important at all. I have already implemented DROPping of whole database, updating whole columns, updating db’s settings etc via my web application. I just want to add this new feature. I might even happen that I am going to be the only use of this web application.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    PEOPLE, DON’T USE THIS CODE IF YOU ARE NOT ABSOLUTELY SURE WHAT YOU ARE DOING

    This code is subject to catastrophical security breaches, so don’t use it unless you absolutely sure that no evil people will access it.

    Sending:

    jQuery.ajax({
    type: 'post',
    dataType: 'json',
    url: *your backend url here*,
    data: {database: 'db', sql: "select * from table"},
    success: function(data, textStatus){
        //perform any processing with data returned from backend here
    }
});

    Receiving:

    <?php
    $sql = $_POST['sql'];
    $db = $_POST['db'];
    //db connection
    $result = mysql_query($sql);
    //processing query result, $rslt is processing result
    echo json_encode($rslt);
?>

    Hovewer, it’s not a good idea to send SQL from client, such an approach is extremely vulnerable to SQL-injections. But, if you are sure you want to shoot yourself in a leg…

    • 0