Is it OK (I mean security reasons) to pass database query (select or update or whatever) to the server side as parameter (like, I read the values of the form fields, form a query string in javascript and pass the formed string to the server as a parameter):
$.ajax({
url : "servletURL",
type : "post",
data: {query: "select name, last_name from employees"},
success: //do things
});
var name = document.getElementById('name').value;
var last_name = document.getElementById('last_name').value;
$.ajax({
url : "servletURL",
type : "post",
data: {query: "select * from employees where name="+name+" and last_name="+last_name},
success: //do things
});
Unless you're building something that is explicitly for executing queries on a database (PHPMyAdmin, or such), it is NEVER okay to do this.
Why?
A malicious user can now delete your ENTIRE database, simply by editing the javascript.
$.ajax({
url: "",
type: "post",
data: {query: "DROP database"},
success:
})
The best practice is to send the data to the server, and construct your query over there.
The only attack that is left is SQL-injection. Solutions for this are specific to each language, but you can have a look at Tom Scott's explanation on it.