Which is better from a security standpoint when populating an HTML select box?
Option A: PHP
<?php echo "<select name=\"empName\" id=\"empName\" class=\"text\" style=\"width:10em;\">
";?>
<?php include 'PHPscripts/getEmployeeNamesDB.php'?>
<?php echo "</select>
";?>
getEmployeeNamesDB.php
$dropdown = "";
$tbl_name="employee"; // Table name
$result = mysql_query("SELECT CONCAT_WS(' ', firstname, lastname) AS 'wholename', empid FROM $tbl_name ORDER BY lastname") or die("cannot select result DB.php");
while($row = mysql_fetch_assoc($result)) {
$empid = $row["empid"];
$name = $row["wholename"];
$dropdown .= "<option value=\"$empid\">$name</option>
";
}
echo $dropdown;
Option B: Javascript
Same information except use an AJAX call to populate a javascript variable. then use javascript to make select statement?
Security is my primary concern but I would also like to know if you can come up with any other concerns I should consider.
