Making a Server Request (^) ❘ 181
you like from the server and transmit it to the client. These formats are the most popular because
JavaScript provides you with tools for working with these types of data. XML can be easily queried
using DOM tools and methods, as well as with jQuery’s various methods of traversal, fi ltering, and
retrieval. HTML can be sent in incomplete snippets that can be effortlessly inserted into a document
using jQuery’s html() method.
You can also transmit JavaScript from the server, and the JavaScript will be evaluated in the client-
side application, executing it and making whatever variables, functions, objects, and so on available.
The JSON format is a subset of the syntax allowed to create JavaScript object literals, and it is
therefore a subset of JavaScript. It is considered to be its own format for data transmission, however.
Many popular languages have the ability to both read and send JSON-formatted data.
There are potential security issues associated with JSON that you should consider that result from
using eval() to execute JavaScript code from the server. eval() should be used only if you are
certain that the data being evaluated cannot be manipulated and cannot contain malicious code. For
your web application, you should take precautions before using the eval() method to execute any-
thing that has been user-provided because a user can have malicious intentions. Because a portion of
your code is available for all to see on the client-side, any user can discover what methods you use to
transmit and receive data. If you use JSON to transmit user-supplied data that originates from your
input forms, a user can maliciously craft the data submitted in your forms to be executed alongside
your JSON-formatted code. One exploit a malicious user can take advantage of in this way would
be to execute JavaScript that takes other users’ session data and transmits that data back to the
malicious user’s server. This type of exploit is known as an XSS (Cross-Site Scripting) vulnerabil-
ity, alternatively known as Cross-Site Scripting Forgery. Because session data is not tied to a user’s
computer but, instead, relies on long strings of numbers and letters that are mathematically diffi cult
to reproduce, when a malicious user obtains another user’s session id, that malicious user can then
impersonate other users and steal their sensitive data or log in to your server and obtain privileged
information. So great care and thought must be placed into what code is safe to eval() and what
code is not.
Making a GET Request with jQuery
Having talked about some of the inner workings of what an AJAX request is, the next topic for
discussion is making your fi rst GET request with AJAX using jQuery.Of course, AJAX is typically used to create dynamic web applications that have a server-side compo-
nent written in something such as PHP, Java, .NET, Ruby, or whatever you like. The server-side
portion of this is outside the scope of this book, so, instead of linking an AJAX request to a server-
side application, I link these requests to local documents that provide the same response every time.
If you’d like to learn more about the server-side components that are involved, Wrox has an excel-
lent selection of books covering just about every language.That said, jQuery makes a few methods available that initiate a GET request from a server; the
method that you use depends on the data you’re getting. The generic method, which you can use
to make any type of GET request, is called, easily enough, get(). Each method is a member of the
jQuery object, so you’d call the get() method like this: $.get().