In my opinion, ajax is great in performing request without clicking a link or sending a form. However, I'm worried about its security issue ,or maybe just thinking too much. In ajax, the javascript is viewable to everyone and the php is accessible through web. Would it be possible for the user to direct calling the php script, bypassing htaccess restriction and etc.
There is three option(any suggestion for new option will be appretiated) for me to achieve my goal.
Option A: Page -> clicking button and call ajax -> Display on Page
Option B: Page -> include php file in root directory -> Clicking button to show hidden div(below 10 mysql row) -> Display on page
Option C: Page A -> Clicking button redirect to page B -> include php file in root directory -> show result with multiple page(10+ per page)
Option A will be nice to me however it seems not so secure. Will the answer be same when dueling with overwriting value in mysql table(more security issue have to be concern)?
----------update------------
I'm now using Option C, and using ajax to to accept request, reject request thing base on the result shown on Page B. Still, wondering the security issue of Ajax, to see when will the pro of client+server side scripting of Ajax beat cons of security issue of ajax. Web structure need to be adjusted and improved according to the security issue.