Brian Kotek wrote: > That's fine, but it doesn't change anything in my mind. Just because a > crawler won't submit a form doesn't mean that a user (or a non-compliant > crawler) won't. It's also not complicated for a user to modify the headers > to issue a post instead of a get or vice versa. The point being, if you have > something that can trigger a data change, you have to assume someone can > execute it regardless of whether it is a POST or a GET and regardless of > whether it was initiated by a crawler or something else. It's far more > critical in my mind to make sure that only people or agents that you want to > be changing data can actually change the data.
I fully agree. > The triviality of whether the > request was a POST or a GET seems to mean nothing. And here I disagree. After you have ensured that only authorized users and agents have access, using the correct method is important enough to get it right. Jochem ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Get the answers you are looking for on the ColdFusion Labs Forum direct from active programmers and developers. http://www.adobe.com/cfusion/webforums/forum/categories.cfm?forumid-72&catid=648 Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:291128 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4