The specific issues arise when you begin to use JSON - which comes highly recommend nonetheless, because JSON is typically
eval()'d, the return data from the script will be executed like normal Javascript, so I'm sure you can appreciate the problem already.
Gmail was recently exposed as being susceptible to that kind of JSON hack. Thankfully, prototype not only offers a
good documentation for the handling of JSON files, but it also provides a
truly awesome function for safely parsing the JSON data into an array.
I feel JSON is definitely the way to go. Although AJAX was naturally created to parse XML files, XML can be quite bloated for such a simple task. You just have to remember to also set the content-type of your JSON file to application/json. This can be done using PHP, or simply adding a new MIME type - maybe both:
php Code:
header('content-type: application/json');
I also wrote an article on using JSON with PHP which you may wish to take a read of
over here.