How secure is the code?

Recently started to work with JQ, study a little, concerned about security of your code:
$("#promocode").keyup(function() {
 var promocode = $(this).val();
 var countSim = $(this).val().length;
 if(countSim == 7) {
$.ajax({
 type: "GET", //query method, you can POST you can GET (if omitted, it defaults to GET)
 url: "page/basket/checkPromocode.php",
 data: {sendpromocode:promocode}, //send data if needed
 success: function(data) { //function executed on successful closing the loop
 if($.parseJSON(data).error != 'Promo code not accepted!') {
 $('#errorStyle').attr('style', 'padding: 0px 0px 20px 0px;border: 2px solid #8BC34A;border-radius: 10px;box-shadow: 0 0 8px #8BC34A;background-color: #dbf7bb;');
 $('#loadPromoError').html('Discount promo code');
$('#loadsumPromo').show('slow');
$('#sumSkdPromo').show('slow')
$('#sumSkdPromo').html($.parseJSON(data).skdsum);
 $('#totalPrice').attr('style', 'text-decoration: line-through;font-size: 12pt;');
$('#totalPricePromocode').show('slow');
$('#totalPricePromocode').html($.parseJSON(data).strNewSum);
 } else {
 $('#errorStyle').attr('style', 'padding: 0px 0px 20px 0px;border-radius: 10px;border: 2px solid #e07575;box-shadow: 0 0 8px #e07575;background-color: #ffdada;');
$('#loadsumPromo').show('slow');
$('#sumSkdPromo').hide();
$('#loadPromoError').html($.parseJSON(data).error);
}
}
});
 } else {
$('#loadsumPromo').hide();
$('#sumSkdPromo').hide();
$('#totalPricePromocode').hide();
 $('#totalPrice').removeAttr('style', 'text-decoration: line-through;font-size: 12pt;');
}
 });

The code is certainly not perfect, but it is :) the Question whether an attacker or how to play a prank using this code? The page with the script is protected on picks, often the treatment itself is magical strip_tags... Thanks for the replies and suggestions on the code :)
July 2nd 19 at 13:43
2 answers
July 2nd 19 at 13:45
Solution
Low - need code of the backend: page/basket/checkPromocode.php
If you check $_GET['sendpromocode'] using regex
for example (the code length is always 8 characters): /[a-z0-9]{8}/i we can say that everything is safe.
July 2nd 19 at 13:47
Solution
You 3 times parseJSON call, eh.
And about safety - this code is relatively safe.
Thanks, corrected... - Vernon.Schu commented on July 2nd 19 at 13:50
: note: RELATIVELY safe. If you manage to compromise the backend then .html will go against you - blake_Eichma commented on July 2nd 19 at 13:53
: so, it is better to use text() ? Or I not correctly understood? - Vernon.Schu commented on July 2nd 19 at 13:56
: Yes, if the data is in text format. - blake_Eichma commented on July 2nd 19 at 13:59

Find more questions by tags Information securityjQueryJavaScript