I share Randy's questions, but want to diverge to discuss one thing. On Tue, May 11, 2010 at 6:55 AM, Randy Fay <randy@randyfay.com> wrote:
The converse isĀ a *really* bad idea: using a GET when changing state on the server, of course - this is the path to XSS everywhere.
It's a path to CSRF (cross site request forgery) and not XSS (cross site scripting). But really the answer is that you should use GET/POST depending on what makes the most sense in general and then protect it in a sane way - either with the default token that FAPI gives you or via a self-created/self-verified query string token. All this and more documented at http://crackingdrupal.com/node/48 Regards, Greg -- Greg Knaddison | 303-800-5623 | http://growingventuresolutions.com Mastering Drupal | http://www.masteringdrupal.com