Matthew Weier O'Phinney wrote:
The reason I ask is that (1) it shouldn't matter HOW the HTTP request is initiated. What *should* matter is that the page handles the request gracefully and returns something (HTTP headers only, or headers + page) as a result.
That's an interesting way of explaining that. I think I might try to come up with something similar, since this question comes up a lot. It seems clearer than any way that I've explained it in the past.
Prior, when people asked me how to prevent spoofing forms, I would usually say something to the effect of, "don't worry about it," and throw in CSRF attacks as the only caveat. My point was that it shouldn't matter what the client sends, as long as it abides by your rules.
Chris -- Chris Shiflett Brain Bulb, The PHP Consultancy http://brainbulb.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
