On Mon, Jun 1, 2009 at 2:43 PM, James Ausmus <james.ausmus.lists@xxxxxxxxx>wrote: > On Mon, Jun 1, 2009 at 12:32 PM, Matthew McKay <matt@xxxxxxxxxxxxx> wrote: > > It would be much simpler and cleaner to use Javascript to modify the > form's > > action attribute onClick. > > > > Not really. What about clients who don't have Javascript installed? > What about users who want to either do something nefarious or just to > see what happens, - exposing your "Delete my record"-specific PHP > code could potentially cause security holes. The less of your internal > interface/structure you expose to the end user, the less easy it is > for the casual script kiddies to find the security holes that you have > (and yes, everyone has them... ;) ) > > -James > How is passing parameters to a 'delete' action different than passing 'delete' as a parameter to a general purpose action? You do have a point with not all clients having Javascript. It would be a business decision on the part of Shawn if he wants to support the fraction of users running browsers without support for the most basic of extensions.
