On 6/4/06, Larry Garfield <larry@xxxxxxxxxxxxxxxx> wrote:
Only if delete.php is a confirmation page. Never ever ever have a delete function that operates solely by GET. Here's why: http://thedailywtf.com/forums/thread/66166.aspx
Yes, I've seen that one before. IMO the main problem there is the faulty authentication system. If you put delete links public, and fail to put proper authentication in place, someone's going to delete your content, no matter if the delete action is a POST submit button or a GET link. I don't see how POST is better/more secure for a delete action. Rabin -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php