On Mon, Jun 1, 2009 at 2:43 PM, James Ausmus

> On Mon, Jun 1, 2009 at 12:32 PM, Matthew McKay <m...@mattmckay.org> wrote:
> > It would be much simpler and cleaner to use Javascript to modify the
> form's
> > action attribute onClick.
> >
> Not really. What about clients who don't have Javascript installed?
> What about users who want to either do something nefarious or just to
> see what happens,  - exposing your "Delete my record"-specific PHP
> code could potentially cause security holes. The less of your internal
> interface/structure you expose to the end user, the less easy it is
> for the casual script kiddies to find the security holes that you have
> (and yes, everyone has them... ;)  )
> -James

How is passing parameters to a 'delete' action different than passing
'delete' as a parameter to a general purpose action?
You do have a point with not all clients having Javascript. It would be a
business decision on the part of Shawn if he wants to support the fraction
of users running browsers without support for the most basic of extensions.

Reply via email to