Rowan Collins wrote:
There's even HTML attributes to tell the browser which ones should start checked, so unless someone *really* tried they couldn't select less than two anyway.
Never assume that. Never assume any browser works in any way you want, and never assume malicious users might not send erroneous POST requests by themselves. If you make assumptions, the cases you assume are impossible can in some cases give rise to an exploit.
Timwi