On Mon, Jun 1, 2009 at 2:59 PM, Matthew McKay <matt@xxxxxxxxxxxxx> wrote: > On Mon, Jun 1, 2009 at 2:43 PM, James Ausmus > <james.ausmus.lists@xxxxxxxxx>wrote: > >> On Mon, Jun 1, 2009 at 12:32 PM, Matthew McKay <matt@xxxxxxxxxxxxx> wrote: >> > It would be much simpler and cleaner to use Javascript to modify the >> form's >> > action attribute onClick. >> > >> >> Not really. What about clients who don't have Javascript installed? >> What about users who want to either do something nefarious or just to >> see what happens, - exposing your "Delete my record"-specific PHP >> code could potentially cause security holes. The less of your internal >> interface/structure you expose to the end user, the less easy it is >> for the casual script kiddies to find the security holes that you have >> (and yes, everyone has them... ;) ) >> >> -James >> > > How is passing parameters to a 'delete' action different than passing > 'delete' as a parameter to a general purpose action? > You do have a point with not all clients having Javascript. It would be a > business decision on the part of Shawn if he wants to support the fraction > of users running browsers without support for the most basic of extensions. Often times, it has absolutely nothing to do with the browser's capability, and more to do with the user's purposeful deactivation of the "feature." http://noscript.net -- // Todd -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
