On Fri, Aug 25, 2006 at 06:33:51PM +0100, Rob Church wrote:
On 25/08/06, Timwi timwi@gmx.net wrote:
The kinds of webmasters we are talking about here will assume that you can never fire a given GET URL if you never see a page with a link to it on it.
(Which is still a damn stupid assumption to make)
Not as bad as the ones who allow elementary SQL injection, etc. etc. There's probably still hundreds of thousands of web sites out there with basic flaws in. :)
Indeed; I can easily visualize a forum message page with a Delete Me link right on it.
Further authorization should clearly be required for that to actually happen, but the concept of such a link *existing* on a page isn't by any means beyond the pale...
Cheers, -- jra