the possible problems involved.
Next, you have to consider the ergonomics of what you’re loading a MySQL result into. For instance, if you’re working with a full page refresh and you want to output an error message, it would be simple to load the error message somewhere into the page where it might be quite visible. However, when working with Ajax, you will frequently be loading content into smaller, more contained, less evident enclosures. Therefore, you will have to be more vigilant in keeping the user’s attention on what is going on. In particular, MySQL errors can be quite large, and so it might be a better idea to have any MySQL errors e-mailed to an administrator, and have a small warning message outputted to the user.
SQL injection is the act of passing malicious code into the query string (the address bar of your browser) with the intent of causing problems with any dynamic queries contained within the script. Because of this, it is important to take precautions when retrieving information from the query string to dynamically create a MySQL query. Most database software has ways to remove injected data (in MySQL’s case, it is a function by the name of mysql_real_escape_string). Another fairly simple way to alleviate the problem of SQL injection is to merely wrap any variables being retrieved from the query string with either the addslashes function (for string variables) or the intval function (for integer-based variables). All in all, it is important to realize that someone could easily directly access your script, so you should take precautions accordingly, especially with dynamic queries.