On Facebook you are able to click the "add friend" button to include a buddy without refreshing the page. Most probably this requires being able to access a database using JavaScript, however i was handed to know that that's an awful idea.

Could anybody explain this in my experience?

This isn't directly getting together with the database however with an API ( some web service ). The API then has logic there to then communicate with the database.

Its Ajax basicly

  1. User click button
  2. Javascript open another page at background like "addfriend.php?id=5"
  3. PHP page add request to Database
  4. PHP (or any server page) return answer
  5. Javascript handle answer

They don't allow database access from javascript, they're simple making HTTP calls from javascript, without loading entire page. We've got the technology is known as AJAX (Asynchronous JavaScript and XML). Read much more about AJAX on Wikipedia.

It could have been bad when the SQL for that database could be specified by the customer code and performed with no validation from the DB:

<input type="button" onclick="updateDatabase('INSERT INTO FriendRequests...')" />

...but that's not the situation.

Very simplified: The 'add friend' button calls a server-side method with an HTTP request. The server-side method certifies your identity and also the request, then most likely calls an information-access method, and also the data-access method then calls the actual database. Making this perfectly acceptable.

The JavaScript causes the browser to make an HTTP request behind the curtain (normally, this is referred to as Ajax), along with a server side process handles the database access.