I am simply wondering why everything I do keeps showing up in the network view (shown below) as using GET even if both php and Construct2 are set to use POST.
Perhaps calling the wrong function/Ajax call ?
Some info
GET method: This uses a method where the data is processed in the url. This leaves traces in various logs at different points between your connection over the http. Obviously, having passwords etc could be troublesome.
POST method: leaves far less traces like the GET method.
Difference, you can make simple links with the GET, like http://mysite/index.php?page=home
Whereas POST methods require various FORM elements in web pages before being able to send stuff somewhere.
Ajax takes care of the whole FORM formatting of your data request using POST.
If you really want to protect your content, you should start by having a https capable server.
By default, with https, your web connection will be encrypted and better protected.
So your Ajax POST requests should point to files on your sever over https://yoursite/mypage.php
You have control of what the user can enter, for instance, you could create a certain set of keys only to be allowed to enter, leaving out various mischievous characters.
Next to that, you should encode manually entered content which are being passed
You could use in construct 2
URLEncode(str)
URLDecode(str)
Convert to and from a string in a format suitable for including in a URL or POST data.
and in PHP you would use the base64_encode base64_decode counter part.
mysql_real_escape_string is handy too; in PHP there are various options to strip certain undesired content from user input.
When I have a user table in a game's database, I tend to generate md5 strings from the connection and browser information, gives me more in depth control of what to allow from a player.
I would also try and add some flooding protection if the user is sending passwords to enter something, preventing brute force attempts.