There are 2 common ways to send data to your php server from a webpage and both in essence are the exact same process.
1) POST - Request: This is most common for form submission (IE.. username, and password text boxes that submit those variables to a url). The variables are sent behind the scenes somewhat protected from general view. The user is taken to mydomain.com but the data you sent was passed in the request headers and not out in the open for the user to see.
Pros: data is hidden from plain view and more secure
2) GET - Request: This is most common for page drawing and not for sending sensitive information and passed in url param string (ei.. mydomain.com?version=1)
This sends a request to url just like the post does but the data you are passing is not hidden behind the scenes and is out in the open attached to the end of the url for the user to see.
Pros: when the page loads that param is still at the top so all future ajax request from that domain will also have this param attached to it
Both of these methods however require the browser to reload a url or goto a new one to pass this data to the server. Sometimes you may just want to send data but not have to reload the entire page for the user. This is where AJAX comes in. Ajax can do either of those by faking a form submission or url request and then returning what ever the server echo'ed back.
PHP sees an AJAX request no different than a form submission or url page request. its all the same. PHP gives you 3 global arrays for accessing
$_POST - this global var will contain any variables sent from a for submisison
$_GET - this global var will contain any variables that were sent in the url string
$_REQUEST this gets both. i don't see many people use this but its my favorite as i can use it for testing (putting params in the url) orproduction (actually POST'ing them)
And as you would expect the AJAX plugin in C2 supports both ..in truth it really doesn't matter which you choose since AJAX is hidden anyway (keep in mind you can press f12 on any browser and see it in the network traffic so no its not's completely hidden its just out of plain view of the user)
now when you are posting variables to PHP that will end up in a SQL command you need to protect your SQL database from injection. Imagine you have a SQL command like this
$username = $_REQUEST['username']
"SELECT * FROM users WHERE username='$username';"
if you think about it for a sec if some guy that understands SQL could instead of typing "troublesum" in the username text box you provided they type "troublesum'; DROP TABLES" . SQL will execute the two querys both selecting the user and the DROPPING ALL YOUR TABLES. You need to protect against and make sure SQL treats the entire $username var as a string and not allow additional commands. thats where mysqli_real_escape_string(). This will add slashes to those dangerous chars ; ' that allow them to hijack your command and wil see the whole thing as one long username which of course SQL wont find because the username "troublesum'; DROP TABLES" doesnt exist.
I think that about covers POST GET SQL 101 for today. good luck