Could anybody explain this in my experience?
This isn't directly getting together with the database however with an API ( some web service ). The API then has logic there to then communicate with the database.
Its Ajax basicly
- User click button
- PHP page add request to Database
- PHP (or any server page) return answer
It could have been bad when the SQL for that database could be specified by the customer code and performed with no validation from the DB:
<input type="button" onclick="updateDatabase('INSERT INTO FriendRequests...')" />
...but that's not the situation.
Very simplified: The 'add friend' button calls a server-side method with an HTTP request. The server-side method certifies your identity and also the request, then most likely calls an information-access method, and also the data-access method then calls the actual database. Making this perfectly acceptable.